Example: qcow-forensic

Inputs
Profile
Report outputs
- Triage report (converted from triage_report.json)
- CSV outputs

Inputs

examples/inputs/qcow-forensic-samples/README.md
examples/inputs/qcow-forensic-samples/sample.qcow2

Profile

# QCOW Forensic Image Example Profile
# Demonstrates analysis of QCOW (QEMU Copy On Write) forensic disk images

decode = ["base64"]

max-file-size = 104857600  # 100 MiB

tag = "qcow-forensic"

# Patterns to match in QCOW images and extracted partitions
[[patterns]]
  name = "QCOW Signature"
  pattern = "51:46:49:FB"  # "QFI\xfb" at header (QCOW/QCOW2/QCOW3)
  type = "bytes"

[[patterns]]
  name = "AWS Access Key"
  pattern = "AKIA[0-9A-Z]{16}"
  type = "regex"

[[patterns]]
  name = "AWS Secret Key"
  pattern = "(?i)aws.{0,20}secret.{0,20}['\"][0-9a-zA-Z/+=]{40}['\"]"
  type = "regex"

[[patterns]]
  name = "SSH Private Key"
  pattern = "-----BEGIN.*PRIVATE KEY-----"
  type = "regex"

[[patterns]]
  name = "Password in Config"
  pattern = "password\\s*=\\s*['\"]?[^'\"\\s]+"
  type = "regex"

[[patterns]]
  name = "Database Connection String"
  pattern = "jdbc:[a-zA-Z0-9]+://[^\\s]+password=[^\\s&;]+"
  type = "regex"

[[patterns]]
  name = "MBR Boot Signature"
  pattern = "55:AA"
  type = "bytes"

[[patterns]]
  name = "GPT Signature"
  pattern = "45:46:49:20:50:41:52:54"  # "EFI PART"
  type = "bytes"

[[patterns]]
  name = "NTFS Signature"
  pattern = "4E:54:46:53"  # "NTFS"
  type = "bytes"

[[patterns]]
  name = "Email Address"
  pattern = "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}"
  type = "regex"

Report outputs

Triage report (converted from triage_report.json)

total_files	3
critical_count	0
high_count	0
medium_count	0
low_count	0
minimal_count	3
must_investigate_count	0
all_scores	None
generated_at	2026-02-01T01:44:30.568861735+00:00

top_scores

file_type	must_investigate	path	pattern_count_score	pattern_matches	pattern_severity_score	reasons	risk_level	score	sha256
Other	False	/sample.qcow2	5	2	3	["2 suspicious patterns detected"]	Minimal	8	6461736b27529f047823e7c100131897542d5ae2d4fbe4af1c073c2b4e9c7c1f
Other	False	/README.md	0	0	0	[]	Minimal	0	a8e3ac3e3bbbe8fc934e70ef9046b33c6975c8a572dace67a4604a48bbd1b1e6
Other	False	/sample.qcow2/sample.qcow2:qcow:metadata	0	0	0	[]	Minimal	0	b47571aa892b329fca6fc99a24df380103ff97a2a22ff57659ff4999e080a82a

CSV outputs

errors.csv

Empty CSV

files.csv

path	file_name	sha256	file_created	file_modified	file_accessed	mime_types_from_file_extension	is_extracted_file
/README.md	README.md	a8e3ac3e3bbbe8fc934e70ef9046b33c6975c8a572dace67a4604a48bbd1b1e6	2026-02-01T01:26:44.645674012Z	2026-02-01T01:26:44.645674012Z	2026-02-01T01:27:13.235271167Z	["application/x-genesis-rom"]	0
/sample.qcow2/sample.qcow2:qcow:metadata	sample.qcow2:qcow:metadata	b47571aa892b329fca6fc99a24df380103ff97a2a22ff57659ff4999e080a82a				[]	1
/sample.qcow2	sample.qcow2	6461736b27529f047823e7c100131897542d5ae2d4fbe4af1c073c2b4e9c7c1f	2026-02-01T01:26:44.645674012Z	2026-02-01T01:26:44.672673717Z	2026-02-01T01:27:13.235271167Z	["application/x-qemu-disk"]	0

pattern_matches.csv

id	sha256	pattern_name	match_type	match	location	length
1	6461736b27529f047823e7c100131897542d5ae2d4fbe4af1c073c2b4e9c7c1f	QCOW Signature	bytes	QFI�	0	4
2	6461736b27529f047823e7c100131897542d5ae2d4fbe4af1c073c2b4e9c7c1f	Email Address	regex	test@example.com	2:7	16

signature_matches.csv

Empty CSV

unique_files.csv

sha256	sha1	md5	file_size	mime_type_for_content	shannon_entropy
a8e3ac3e3bbbe8fc934e70ef9046b33c6975c8a572dace67a4604a48bbd1b1e6	aae56b1ceca472f663040d350c14913c163206f5	59243f291f4d2c6b4526a5d87f099575	3095	text/plain	5.05082053829356
b47571aa892b329fca6fc99a24df380103ff97a2a22ff57659ff4999e080a82a	b057cb3910d3b078984eff6d85a05691c70f46f6	516cd80888f7e98f3d529e3ee6c0302e	881	text/plain	5.03263993157254
6461736b27529f047823e7c100131897542d5ae2d4fbe4af1c073c2b4e9c7c1f	40d7e4ec2cc7fab69057f0067cb38e6751a8bd67	0c6e0572f9642cecdfbbe4c87255b9c1	1048576	application/x-qemu-disk	0.0030719323240831

Keyboard shortcuts

sus - Systematic Universal Scanner - Documentation