sysprofiler -windows disk images profiling
Sysprofiler is a Bash script that uses a combination of existing tools and manual processing to extract these artifacts and output them into either a Tab Separated (TSV) file, which can be opened as a spreadsheet, or a plaintext (TXT) file that can be opened in Word Processing software and edited directly into a report. All of the tools used by sysprofiler in the way the script uses them will run natively on Linux. This means that sysprofiler will run on a Linux system, or using WSL on Windows. It is not locked into one specific platform.
Many existing tools are used by this script, including:
- TSK (www.sleuthkit.org)
- RegRipper (https://github.com/keydet89/RegRipper2.8)
- Parse::Win32Registry (http://search.cpan.org/~jmacfarla/Parse-Win32Registry-1.0/lib/Parse/Win32Registry.pm)
- pwdump (https://github.com/moyix/creddump)
- pylnker (https://github.com/HarmJ0y/pylnker)
some of the current module are osinfo – extract OS information:
- Volume Name
- Volume Serial Number
- Filesystem
- Size(bytes)
- Windows Version
- Service Pack
- Owner
- Organisation
- Install Date
- Hostname
- Timezone
- Timezone Offset
users – list user accounts on the system:
- Username
- SID
- Full Name
- Comment
- Account Created
- Last Login
- Login Count
- Password Set
- Password Last Reset
- Last Incorrect Password Entry
- Password Hint
- Flags
- Groups
apps – lists apps installed on the system for all users (from Installer and Uninstall Registry keys):
- Registry Key
- User SID
- Application
- Version
- Company
- Install Date
You can read more and download the disk image https://github.com/khyrenz/