Profile: composite/forensic-investigation.toml

Source
Profile (TOML)

Source

Original path: profiles/composite/forensic-investigation.toml

Profile (TOML)

# Digital Forensics Investigation Profile
# Inspired by KAPE's comprehensive forensic collection
# Combines all forensic artifact profiles for complete investigation

includes = [
  "../base/forensics.toml",
  "../base/system-artifacts.toml",
  "../base/browser-artifacts.toml",
  "../base/malware.toml",
  "../base/network.toml"
]

# Additional forensic investigation patterns
[[patterns]]
  name = "Evidence File"
  pattern = "(?:evidence|seized|exhibit).*\\.(e01|raw|dd|aff)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Forensic Image"
  pattern = "\\.(?:e01|ex01|s01|vmdk|vhd|vhdx)$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Timeline File"
  pattern = "(?:timeline|supertimeline|l2t)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Case File"
  pattern = "(?:case|investigation)_\\d+"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Chain of Custody"
  pattern = "(?:chain.?of.?custody|evidence.?log)"
  case-insensitive = true
  type = "regex"

[[signatures]]
  name = "Forensic Evidence Files"
  query = "SELECT DISTINCT sha256 FROM pattern_matches WHERE pattern_name IN ('Evidence File', 'Forensic Image', 'Timeline File')"

[[signatures]]
  name = "Comprehensive Forensic Artifacts"
  query = "SELECT sha256, COUNT(DISTINCT pattern_name) as total_artifacts FROM pattern_matches GROUP BY sha256 HAVING total_artifacts > 5 ORDER BY total_artifacts DESC"

[[signatures]]
  name = "High Priority Forensic Findings"
  query = "SELECT DISTINCT sha256 FROM pattern_matches WHERE pattern_name IN ('Memory Dump File', 'Registry Hive', 'Browser History', 'Event Log', 'Bash History')"

Keyboard shortcuts

sus - Systematic Universal Scanner - Documentation

Profile: composite/forensic-investigation.toml

Source

Profile (TOML)