AutomatedProfiler will parse an image utilizing RegRipper, RECmd, and various PowerShell cmdlets. The output of the script will be in a text file called 'profiler.txt' and will contain information about said system such as system info, networking settings, firewall details, user data, autorun, service, and mru keys. The returned data will not provide you everything you need to do forensics on the image but it will present a lot of the data that you would find yourself looking for.
In order for this script to work, it will need to be in the same directory with the other supporting directories (RegRipper, RECmd, and plugins) that are included. A mounted image also needs to be available through FTK Imager.
- Mount an image using FTK Imager.
- Take note of the drive letter assigned to the mounted image.
- Download this repository.
- Unzip the contents of the zip.
- Verify that a folder called ‘AutomatedProfiler-master’ is what was unzipped.
- In PowerShell, navigate to the AutomatedProfiler-master directory and type '.\profiler.ps1'.
- When prompted, input the drive letter assigned to the image.
- Analyze the profiler.txt file once the script completes.
$drive_letter = read-host "Input drive letter of the attached drive with Registry hives (example - e:)"
# Output Example output from this script is in the '__example_output.txt' within this repo.