Skill UI

Comprehensive digital forensic analysis guide for Linux systems. It covers the collection and examination of critical artifacts such as authentication logs, shell histories, user configurations, system files (passwd, shadow), and persistence mechanisms to effectively detect security compromises, unauthorized access, and malicious activity.

This skill details the forensic analysis of Windows LNK shortcut files and Jump Lists. It enables investigators to reconstruct user activity, track file access, and determine program execution history by parsing critical metadata like timestamps, paths, and system identifiers, even when the original artifacts are deleted.

This guide details the process of performing static analysis on potentially malicious PDF documents. It utilizes advanced tools like peepdf, pdfid, and pdf-parser to extract embedded JavaScript, shellcode, and suspicious objects. Use this method when triaging suspicious attachments from phishing emails or conducting deep forensic examination of weaponized document artifacts to generate actionable Indicators of Compromise (IOCs).

This skill provides a comprehensive workflow for detecting and analyzing malware persistence mechanisms on Windows systems. It automates the use of Sysinternals Autoruns via scripting to scan hundreds of Auto-Start Extensibility Points (ASEPs), including registry keys, services, scheduled tasks, and drivers. The process flags suspicious entries like unsigned binaries, suspicious paths, or dangerous command-line arguments, making it an essential tool for security incident response and threat hunting.

This skill analyzes behavioral reports (Cuckoo/AnyRun) to detect anti-analysis techniques used by malware, such as timing checks, VM artifact queries, user interaction monitoring, and environment fingerprinting. It provides a structured method for security researchers and SOC analysts to understand malware's true capabilities and detect evasion attempts.

This skill outlines the comprehensive process of memory forensics on compromised Linux systems. It guides users through acquiring volatile memory using the LiME kernel module and analyzing the resulting image with the Volatility 3 framework. Key artifacts extracted include process lists, network connections, bash history, and loaded kernel modules, making it an essential technique for incident response, threat hunting, and security investigations.

A specialized threat hunting skill designed to detect remnants of the PowerShell Empire post-exploitation framework. It analyzes Windows event logs (specifically Script Block and Module Logging) for key Indicators of Compromise (IOCs), such as default launcher strings, Base64 encoded payloads, known module signatures (e.g., Mimikatz), and staging URL patterns. The output provides a detailed JSON report, comprehensive timeline, and MITRE ATT&CK mapping for incident response and security validation.

This guide provides a comprehensive workflow for deep digital forensics examination of NTFS volumes. It covers recovering hidden data from file system slack space, analyzing MFT entries for deleted metadata, reconstructing file actions using the USN Journal, and detecting hidden content via Alternate Data Streams (ADS). Essential for incident response and evidence recovery.

A specialized tool and workflow for investigating supply chain attacks. It helps security analysts analyze compromised software updates, trojanized binaries, and dependency artifacts by comparing legitimate versions against suspect files. Key functions include binary diffing, identifying injected code, and documenting code signing anomalies to determine the scope of a security breach.

A comprehensive digital forensics technique used to investigate removable media usage. It parses artifacts from Windows registry (USBSTOR, MountedDevices), Event Logs, and SetupAPI logs to track which USB devices were connected, when they were used, and establishing a timeline for potential data exfiltration or insider threat activity.

A specialized tool for digital forensics investigators that parses the Windows Amcache.hve registry hive. It extracts crucial evidence regarding program execution history, application installation metadata, and loaded driver binaries. By correlating SHA-1 hashes and reconstructing timelines, users can determine which executables ran on a system, aiding in incident response and threat detection.

This comprehensive forensic workflow guides investigators through the extraction and detailed analysis of Windows Registry hives (SAM, SYSTEM, SOFTWARE, etc.). It is used during incident response to uncover critical artifacts, including user activity history, malware persistence mechanisms (autorun keys), installed software records, and evidence of system compromise.