performing-log-analysis-for-forensic-investigation

Featured

Collect, parse, and correlate system, application, and security logs to reconstruct events and establish timelines during forensic investigations.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Performing Log Analysis for Forensic Investigation ## When to Use - When reconstructing the timeline of a security incident from available log sources - During post-breach investigation to identify initial access, lateral movement, and exfiltration - When correlating events across multiple systems and log sources - For establishing evidence of unauthorized access or policy violations - When preparing forensic reports requiring detailed event chronology ## Prerequisites - Access to collected log files (Windows Event Logs, syslog, application logs) - Log parsing tools (LogParser, jq, awk, or ELK stack) - Understanding of log formats (EVTX, syslog, JSON, CSV) - NTP-synchronized timestamps across all log sources for correlation - Sufficient storage for log aggregation and indexing - Timeline analysis tools (log2timeline, Plaso) ## Workflow ### Step 1: Collect and Preserve Log Sources ```bash # Create case log directory structure mkdir -p /cases/case-2024-001/logs/{windows,linux,network,application,web} # Extract Windows Event Logs from forensic image cp /mnt/evidence/Windows/System32/winevt/Logs/*.evtx /cases/case-2024-001/logs/windows/ # Key Windows Event Logs to collect # Security.evtx - Authentication, access control, policy changes # System.evtx - Service starts/stops, driver loads, system errors # Application.evtx - Application errors and events # Microsoft-Windows-PowerShell%4Operational.evtx - PowerShell execution # Microsoft-Windows-Sysmon%4Operational.evtx - Sys...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

performing-linux-log-forensics-investigation

Perform forensic investigation of Linux system logs including syslog, auth.log, systemd journal, kern.log, and application logs to reconstruct user activity, detect unauthorized access, and establish event timelines on compromised Linux systems.

12,642 Updated today
mukul975
AI & Automation Featured

extracting-windows-event-logs-artifacts

Extract, parse, and analyze Windows Event Logs (EVTX) using Chainsaw, Hayabusa, and EvtxECmd to detect lateral movement, persistence, and privilege escalation.

12,642 Updated today
mukul975
AI & Automation Featured

analyzing-security-logs-with-splunk

Leverages Splunk Enterprise Security and SPL (Search Processing Language) to investigate security incidents through log correlation, timeline reconstruction, and anomaly detection. Covers Windows event logs, firewall logs, proxy logs, and authentication data analysis. Activates for requests involving Splunk investigation, SPL queries, SIEM log analysis, security event correlation, or log-based incident investigation.

12,642 Updated today
mukul975
AI & Automation Featured

analyzing-linux-system-artifacts

Examine Linux system artifacts including auth logs, cron jobs, shell history, and system configuration to uncover evidence of compromise or unauthorized activity.

12,642 Updated today
mukul975
DevOps & Infrastructure Featured

performing-cloud-forensics-investigation

Conduct forensic investigations in cloud environments by collecting and analyzing logs, snapshots, and metadata from AWS, Azure, and GCP services.

12,642 Updated today
mukul975