-
Notifications
You must be signed in to change notification settings - Fork 0
Case Profiles
Eduardo Aguiar edited this page Jan 6, 2026
·
4 revisions
Case Profiles in Mobius Forensic Toolkit allow you to customize evidence processing by controlling two key aspects:
-
Processing Scope
-
users: Only scan user folders and their subfolders (faster, focused on typical user activity). -
all: Scan all folders on the evidence source (deeper, more thorough).
-
-
Enabled Application Parsers
Only the extensions listed in the profile will be executed during processing.
Profiles are stored as simple INI-style files in the data/profiles/ directory of the installation. When processing evidence, you select the desired profile from a dropdown in the processing dialog.
- General: General-purpose profile for everyday investigations.
- CSAM: Child Sexual Abuse Material investigations (standard depth).
- User Files: Standard user activity focus (browsers and communication).
- User Files (Full Analysis): Comprehensive user activity analysis including P2P clients.
- Peer-to-peer (P2P): Focused on peer-to-peer file-sharing activity.
- Deep Forensics: Thorough forensic examination of all supported application types.
- CSAM (Deep Analysis): Child Sexual Abuse Material investigations (maximum depth).
- Use user-scoped profiles (
scope=users) for faster processing when evidence is expected in standard user directories. - Use full-scoped profiles (
scope=all) when hidden, system, or non-standard locations must be examined (e.g., CSAM deep analysis, malware, data concealment).
You can easily create your own profiles:
- Copy an existing
.profilefile fromdata/profiles/to a new name. - Edit with any text editor.
- Modify the
[general]section for name/description. - Set
scope=tousersorall. - List desired extensions (one per line) under
[processors].
Custom profiles placed in the data/profiles/ directory will automatically appear in the profile selection dropdown.
For more advanced customization or new parsers, see Developing-Extensions.