dfirlisted

Digital forensics and incident response - Windows event log analysis, PCAP forensics, filesystem artifact analysis, AD attack detection, and timeline correlation. Use when investigating security incidents, analyzing Sherlocks, or performing threat hunting on provided evidence files.
26zl/cybersec-toolkit · ★ 6 · AI & Automation · score 73

Install: claude install-skill 26zl/cybersec-toolkit

# DFIR Investigate security incidents by analyzing event logs, network captures, and filesystem artifacts. Detect and reconstruct AD attack chains. ## Techniques | Domain | Key Capabilities | |--------|-----------------| | **Windows Event Logs** | EVTX parsing, Event ID correlation, logon tracking, privilege enumeration | | **Network Forensics** | PCAP analysis, NTLM extraction, LLMNR/NBT-NS poisoning detection, relay identification | | **Filesystem Forensics** | MFT parsing, Prefetch analysis, VSS artifact recovery, Linux persistence, timeline reconstruction | | **AD Attack Detection** | Kerberoasting, AS-REP roasting, NTDS dump, NTLM relay, credential theft | | **Memory Forensics** | Volatility3 analysis: process trees, file extraction, SID resolution, command lines | | **Hash Analysis** | NTLMv2 hash construction from pcap, offline cracking validation | ## Workflow 1. **Inventory evidence** — List all artifacts (EVTX, pcap, MFT, prefetch, registry) 2. **Parse structured data** — EVTX with `python-evtx`, pcap with `tshark`, MFT with `analyzeMFT` 3. **Identify attack indicators** — Key Event IDs, suspicious traffic patterns, anomalous files 4. **Correlate across sources** — Match timestamps, IPs, LogonIDs, and process IDs across artifacts 5. **Reconstruct timeline** — Build chronological attack chain with UTC timestamps 6. **Answer investigative questions** — Map findings to specific incident response queries ## Tools ```bash pip install python-evtx windowsprefetch an