Example: vdi-forensic

Inputs
Profile
Report outputs
- Triage report (converted from triage_report.json)
- CSV outputs

Inputs

examples/inputs/vdi-forensic-samples/README.md
examples/inputs/vdi-forensic-samples/sample.vdi

Profile

# VDI Forensic Image Example Profile
# Demonstrates analysis of VDI (VirtualBox Disk Image) forensic disk images

decode = ["base64"]

max-file-size = 104857600  # 100 MiB

tag = "vdi-forensic"

# Patterns to match in VDI images and extracted partitions
[[patterns]]
  name = "VDI Signature"
  pattern = "3C:3C:3C:20:4F:72:61:63:6C:65:20:56:4D:20:56:69:72:74:75:61:6C:42:6F:78:20:44:69:73:6B:20:49:6D:61:67:65:20:3E:3E:3E"  # "<<< Oracle VM VirtualBox Disk Image >>>"
  type = "bytes"

[[patterns]]
  name = "AWS Access Key"
  pattern = "AKIA[0-9A-Z]{16}"
  type = "regex"

[[patterns]]
  name = "SSH Private Key"
  pattern = "-----BEGIN.*PRIVATE KEY-----"
  type = "regex"

[[patterns]]
  name = "Password in Config"
  pattern = "password\\s*=\\s*['\"]?[^'\"\\s]+"
  type = "regex"

[[patterns]]
  name = "MBR Boot Signature"
  pattern = "55:AA"
  type = "bytes"

[[patterns]]
  name = "GPT Signature"
  pattern = "45:46:49:20:50:41:52:54"  # "EFI PART"
  type = "bytes"

[[patterns]]
  name = "NTFS Signature"
  pattern = "4E:54:46:53"  # "NTFS"
  type = "bytes"

[[patterns]]
  name = "Email Address"
  pattern = "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}"
  type = "regex"

Report outputs

Triage report (converted from triage_report.json)

total_files	3
critical_count	0
high_count	0
medium_count	0
low_count	0
minimal_count	3
must_investigate_count	0
all_scores	None
generated_at	2026-01-31T11:16:24.674386602+00:00

top_scores

file_type	must_investigate	path	pattern_count_score	pattern_matches	pattern_severity_score	reasons	risk_level	score	sha256
Other	False	/sample.vdi	5	3	5	["3 suspicious patterns detected"]	Minimal	10	2425928183833b701db53330df74b8ecabaccca0bb9387b5912c9b063b4330da
Other	False	/README.md	0	0	0	[]	Minimal	0	8ba3251c88e8b3af88fa07dd0f3d971d3fc77a482c749df9f2a918463505b17f
Other	False	/sample.vdi/sample.vdi:vdi:metadata	0	0	0	[]	Minimal	0	4019f36e944abb83e210a1bde7c7acbf83939cb0ecc6e5cf2e63b505ff299053

CSV outputs

errors.csv

Empty CSV

files.csv

path	file_name	sha256	file_created	file_modified	file_accessed	mime_types_from_file_extension	is_extracted_file
/README.md	README.md	8ba3251c88e8b3af88fa07dd0f3d971d3fc77a482c749df9f2a918463505b17f	2026-01-31T10:59:09.277752156Z	2026-01-31T10:59:09.277752156Z	2026-01-31T11:14:23.615342869Z	["application/x-genesis-rom"]	0
/sample.vdi/sample.vdi:vdi:metadata	sample.vdi:vdi:metadata	4019f36e944abb83e210a1bde7c7acbf83939cb0ecc6e5cf2e63b505ff299053				[]	1
/sample.vdi	sample.vdi	2425928183833b701db53330df74b8ecabaccca0bb9387b5912c9b063b4330da	2026-01-31T10:59:09.277752156Z	2026-01-31T10:59:09.277752156Z	2026-01-31T11:14:23.618342852Z	["application/x-virtualbox-vdi"]	0

pattern_matches.csv

id	sha256	pattern_name	match_type	match	location	length
1	2425928183833b701db53330df74b8ecabaccca0bb9387b5912c9b063b4330da	VDI Signature	bytes	<<< Oracle VM VirtualBox Disk Image >>>	0	39
2	2425928183833b701db53330df74b8ecabaccca0bb9387b5912c9b063b4330da	Password in Config	regex	password=secret123	2:1146	530
3	2425928183833b701db53330df74b8ecabaccca0bb9387b5912c9b063b4330da	Email Address	regex	test@example.com	2:874	16

signature_matches.csv

Empty CSV

unique_files.csv

sha256	sha1	md5	file_size	mime_type_for_content	shannon_entropy
8ba3251c88e8b3af88fa07dd0f3d971d3fc77a482c749df9f2a918463505b17f	5c79232bb4f3a5aa1f65c89953bfe4e4b33018db	7ce5d9f6b16afaf816d24d15ebaebe61	2485	text/plain	4.95595005475133
4019f36e944abb83e210a1bde7c7acbf83939cb0ecc6e5cf2e63b505ff299053	2d6e5017ba9c53f7ebc169fce1e24816731a10e5	bb758e05fa810418c2897fefd338692c	780	text/plain	4.9247329246529
2425928183833b701db53330df74b8ecabaccca0bb9387b5912c9b063b4330da	cae18f1431599956ccb716d4de542977cfece2a3	1b25066a83041414ba7197fc9687277f	1714	application/x-virtualbox-vdi	0.617522089298005

Keyboard shortcuts

sus - Systematic Universal Scanner - Documentation