forensics-assistlisted

Digital-forensics assistant for IR context — memory analysis via Volatility 3, disk-imaging hygiene (write-blocker, hash validation), timeline reconstruction via plaso/log2timeline, file-system artifacts per OS. Audit-grade evidence; courtroom-grade chain of custody requires additional specialized forensics work.
roodlicht/accans-sec-skills · ★ 4 · AI & Automation · score 65

Install: claude install-skill roodlicht/accans-sec-skills

# Forensics Assist > **Audit-grade vs. forensics-grade**: this skill supports incident-response-grade investigation with evidence that can later be supplemented for legal proceedings, but it is not on its own a fully chain-of-custody-certified forensics output. Specialized forensic teams (an internal forensics cell or an external partner such as Fox-IT or Northwave) handle the courtroom-grade work where required. The skill structures hash validation, write-blocker discipline, and timeline reconstruction so the output is usable for IR plus any follow-up forensics. ## When to use An incident often calls for forensic investigation in parallel with IR action. This skill provides the practical lens for the blue-team side: what you capture, how you analyse it, and what you hand off to IR or specialized forensics. Triggers on: - A question like "memory analysis on this dump", "disk-image hygiene check", "build a timeline from this event log + filesystem", "what is known from MFT", "Volatility plugin choice". - A handoff from `ir-runbook` (forensics step inside the response), `malware-triage` (memory-extracted binary), `log-triage` (host investigation after an anomaly). - A suspect host snapshot where you must determine "what happened, how far did it go, how long has it been there". - Periodic training or post-incident review where a sample investigation is repeated. ### When NOT (handoff) - Courtroom-grade forensics → specialized team. This skill is operational-grade. - Rever