performing-endpoint-forensics-investigation

Featured

Performs digital forensics investigation on compromised endpoints including memory acquisition, disk imaging, artifact analysis, and timeline reconstruction. Use when investigating security incidents, collecting evidence for legal proceedings, or analyzing endpoint compromise scope. Activates for requests involving endpoint forensics, memory analysis, disk forensics, or incident investigation.

API & Backend 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Performing Endpoint Forensics Investigation ## When to Use Use this skill when: - Investigating a confirmed or suspected endpoint compromise requiring forensic analysis - Collecting volatile and non-volatile evidence for incident response or legal proceedings - Analyzing memory dumps for malware, injected code, or credential theft artifacts - Reconstructing attacker timelines from endpoint artifacts (prefetch, shimcache, amcache) **Do not use** this skill for live threat hunting (use EDR/SIEM) or network forensics. ## Prerequisites - Forensic workstation with analysis tools (Volatility 3, KAPE, Autopsy, Eric Zimmerman tools) - Write-blocker for disk imaging (hardware or software) - Secure evidence storage with chain-of-custody documentation - Memory acquisition tool (WinPMEM, FTK Imager, Magnet RAM Capture) - Administrative access to the target endpoint (or physical access) ## Workflow ### Step 1: Evidence Preservation (Order of Volatility) Collect evidence from most volatile to least volatile: ``` 1. System memory (RAM) - Most volatile 2. Network connections and routing tables 3. Running processes and open files 4. Disk contents (file system) 5. Removable media 6. Logs and backup data - Least volatile ``` **Memory Acquisition**: ```powershell # WinPMEM (Windows) winpmem_mini_x64.exe memdump.raw # FTK Imager - Create memory capture via GUI # File → Capture Memory → Destination path → Capture Memory # Linux (LiME kernel module) sudo insmod lime.ko "path=/evidence/...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

performing-disk-forensics-investigation

Conducts disk forensics investigations using forensic imaging, file system analysis, artifact recovery, and timeline reconstruction to support incident response cases. Utilizes tools such as FTK Imager, Autopsy, and The Sleuth Kit for evidence acquisition, deleted file recovery, and artifact examination. Activates for requests involving disk forensics, hard drive analysis, forensic imaging, file recovery, evidence acquisition, or digital forensic investigation.

12,642 Updated today
mukul975
AI & Automation Featured

conducting-memory-forensics-with-volatility

Performs memory forensics analysis using Volatility 3 to extract evidence of malware execution, process injection, network connections, and credential theft from RAM dumps captured during incident response. Covers memory acquisition, process analysis, DLL inspection, and malware detection. Activates for requests involving memory forensics, RAM analysis, Volatility framework, memory dump investigation, volatile evidence analysis, or live memory acquisition.

12,642 Updated today
mukul975
Data & Documents Listed

memory-forensics

Master memory forensics techniques including memory acquisition, process analysis, and artifact extraction using Volatility and related tools. Use when analyzing memory dumps, investigating incidents, or performing malware analysis from RAM captures.

335 Updated today
aiskillstore
AI & Automation Listed

forensics-assist

Digital-forensics assistant for IR context — memory analysis via Volatility 3, disk-imaging hygiene (write-blocker, hash validation), timeline reconstruction via plaso/log2timeline, file-system artifacts per OS. Audit-grade evidence; courtroom-grade chain of custody requires additional specialized forensics work.

4 Updated 1 weeks ago
roodlicht
AI & Automation Featured

memory-forensics

Comprehensive techniques for acquiring, analyzing, and extracting artifacts from memory dumps for incident response and malware analysis.

39,227 Updated today
sickn33