Digital forensics and incident response capabilities. Analyze memory dumps with Volatility, parse filesystem artifacts, extract browser forensics, analyze Windows event logs, create forensic timelines, recover deleted files, and generate forensic reports.
Performs digital forensics and incident response including memory analysis, artifact parsing, and timeline creation.
npx claudepluginhub a5c-ai/babysitterThis skill is limited to using the following tools:
README.mdYou are incident-forensics - a specialized skill for digital forensics and incident response, providing capabilities for memory analysis, filesystem forensics, timeline creation, and evidence collection.
This skill enables AI-powered forensic operations including:
This skill is designed for authorized forensic investigations. All operations must:
Analyze memory dumps for malware and incident artifacts:
# Identify memory image profile
vol -f memory.dmp windows.info
# Process listing
vol -f memory.dmp windows.pslist
vol -f memory.dmp windows.pstree
vol -f memory.dmp windows.psscan
# Network connections
vol -f memory.dmp windows.netstat
vol -f memory.dmp windows.netscan
# DLL analysis
vol -f memory.dmp windows.dlllist --pid 1234
vol -f memory.dmp windows.malfind
# Command line arguments
vol -f memory.dmp windows.cmdline
# Registry hives
vol -f memory.dmp windows.registry.hivelist
vol -f memory.dmp windows.registry.printkey --key "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
# Dump suspicious processes
vol -f memory.dmp windows.memmap --pid 1234 --dump
# File scanning
vol -f memory.dmp windows.filescan
vol -f memory.dmp windows.dumpfiles --pid 1234
# Detect injected code
vol -f memory.dmp windows.malfind
# Extract embedded executables
vol -f memory.dmp windows.vadinfo --pid 1234
vol -f memory.dmp windows.procdump --pid 1234 --dump-dir ./dumps/
# Detect API hooking
vol -f memory.dmp windows.ssdt
vol -f memory.dmp windows.callbacks
# Credential extraction (authorized testing only)
vol -f memory.dmp windows.hashdump
vol -f memory.dmp windows.lsadump
# Timeline from memory
vol -f memory.dmp timeliner.Timeliner --create-bodyfile
# YARA scanning
vol -f memory.dmp windows.vadyarascan --yara-file malware_rules.yar
Analyze disk images and filesystems:
# Image information
img_stat image.dd
mmls image.dd # Partition layout
# Filesystem info
fsstat -o 2048 image.dd
# List files and directories
fls -r -o 2048 image.dd
# Extract file by inode
icat -o 2048 image.dd 12345 > extracted_file.bin
# Timeline creation
fls -r -m "/" -o 2048 image.dd > bodyfile.txt
mactime -b bodyfile.txt -d > timeline.csv
# File recovery
tsk_recover -o 2048 image.dd ./recovered/
# Search for specific file types
sigfind -t image.dd # Find signature matches
# MFT analysis
icat -o 2048 image.dd 0 > $MFT
Parse Windows-specific artifacts:
# Prefetch analysis
python3 -c "
import prefetch
from pathlib import Path
for pf_file in Path('/evidence/Prefetch/').glob('*.pf'):
pf = prefetch.Prefetch(pf_file)
print(f'Executable: {pf.executable_name}')
print(f'Run count: {pf.run_count}')
print(f'Last run: {pf.last_run_time}')
print(f'Files accessed:')
for f in pf.files_accessed:
print(f' {f}')
print()
"
# LNK file analysis
python3 -c "
import lnk
from pathlib import Path
lnk_file = lnk.lnk('/evidence/Recent/document.lnk')
print(f'Target: {lnk_file.target_file}')
print(f'Working dir: {lnk_file.working_dir}')
print(f'Created: {lnk_file.creation_time}')
print(f'Modified: {lnk_file.modification_time}')
print(f'Accessed: {lnk_file.access_time}')
"
# Jump list analysis
python3 JumpListParser.py --input /evidence/AutomaticDestinations/
# USN Journal parsing
usn.py /evidence/$UsnJrnl:$J --csv > usn_journal.csv
Parse and analyze Windows event logs:
# Convert EVTX to XML/JSON
python3 -c "
from evtx import PyEvtxParser
parser = PyEvtxParser('/evidence/Security.evtx')
for record in parser.records():
print(record['data'])
"
# Filter security events
python3 -c "
from evtx import PyEvtxParser
import json
# Interesting Event IDs
LOGON_SUCCESS = 4624
LOGON_FAILURE = 4625
ACCOUNT_CREATED = 4720
SERVICE_INSTALLED = 7045
SCHEDULED_TASK = 4698
parser = PyEvtxParser('/evidence/Security.evtx')
for record in parser.records():
data = record['data']
# Parse and filter events
# Extract timestamp, event ID, account name, etc.
"
# PowerShell log analysis
# Event ID 4104 - Script Block Logging
python3 parse_powershell_logs.py /evidence/PowerShell-Operational.evtx
# Common attack indicators
# - 4688: Process creation (if auditing enabled)
# - 4697: Service installation
# - 1102: Audit log cleared
# - 4698-4702: Scheduled task events
Extract browser artifacts:
# Chrome history analysis
python3 -c "
import sqlite3
import datetime
# Chrome History database
conn = sqlite3.connect('/evidence/Chrome/History')
cursor = conn.cursor()
# URL history
cursor.execute('''
SELECT url, title, visit_count,
datetime(last_visit_time/1000000-11644473600, 'unixepoch') as visit_time
FROM urls
ORDER BY last_visit_time DESC
''')
for row in cursor.fetchall():
print(f'{row[3]} | {row[0]} | Visits: {row[2]}')
# Downloads
cursor.execute('''
SELECT target_path, tab_url,
datetime(start_time/1000000-11644473600, 'unixepoch') as download_time
FROM downloads
''')
for row in cursor.fetchall():
print(f'{row[2]} | {row[0]} | From: {row[1]}')
"
# Firefox forensics
python3 -c "
import sqlite3
conn = sqlite3.connect('/evidence/Firefox/places.sqlite')
cursor = conn.cursor()
# History
cursor.execute('''
SELECT url, title, visit_count,
datetime(last_visit_date/1000000, 'unixepoch')
FROM moz_places
WHERE visit_count > 0
ORDER BY last_visit_date DESC
''')
for row in cursor.fetchall():
print(row)
"
# Cookie analysis
python3 -c "
import sqlite3
conn = sqlite3.connect('/evidence/Chrome/Cookies')
cursor = conn.cursor()
cursor.execute('SELECT host_key, name, value, expires_utc FROM cookies')
for row in cursor.fetchall():
print(f'{row[0]}: {row[1]}={row[2]}')
"
Generate comprehensive forensic timelines:
# Parse evidence with log2timeline
log2timeline.py --storage-file timeline.plaso /evidence/
# Create timeline output
psort.py -o l2tcsv -w timeline.csv timeline.plaso
# Filter timeline by date range
psort.py -o l2tcsv -w filtered.csv timeline.plaso \
"date > '2024-01-01' AND date < '2024-01-31'"
# Filter by specific artifact types
psort.py -o l2tcsv -w prefetch.csv timeline.plaso \
"parser contains 'prefetch'"
# Create timeline for specific user
psort.py -o l2tcsv -w user_timeline.csv timeline.plaso \
"username contains 'jsmith'"
Parse and analyze Windows registry hives:
# Registry Explorer (Python)
python3 -c "
from Registry import Registry
# NTUSER.DAT - User settings
reg = Registry.Registry('/evidence/NTUSER.DAT')
# Recent documents
recent = reg.open('Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RecentDocs')
for value in recent.values():
print(f'{value.name()}: {value.value()}')
# UserAssist - Program execution
userassist = reg.open('Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\UserAssist')
for subkey in userassist.subkeys():
for value in subkey.values():
# Decode ROT13 names
print(value.name(), value.value())
# Run keys
run = reg.open('Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run')
for value in run.values():
print(f'{value.name()}: {value.value()}')
"
# SYSTEM hive analysis
python3 -c "
from Registry import Registry
system = Registry.Registry('/evidence/SYSTEM')
# Get computer name
computername = system.open('ControlSet001\\\\Control\\\\ComputerName\\\\ComputerName')
print(f'Computer: {computername.value(\"ComputerName\").value()}')
# Network interfaces
interfaces = system.open('ControlSet001\\\\Services\\\\Tcpip\\\\Parameters\\\\Interfaces')
for interface in interfaces.subkeys():
print(f'Interface: {interface.name()}')
"
Recover deleted files and carve data:
# File carving with Scalpel
scalpel -c /etc/scalpel/scalpel.conf -o /recovered/ image.dd
# PhotoRec for file recovery
photorec /d /recovered/ image.dd
# Foremost for carving
foremost -t all -i image.dd -o /recovered/
# Custom carving patterns
cat > custom_scalpel.conf << 'EOF'
# Custom file signatures
pdf y 100000000 %PDF %%EOF
doc y 50000000 \xd0\xcf\x11\xe0
zip y 100000000 PK\x03\x04 \x3c\xac
EOF
scalpel -c custom_scalpel.conf -o /recovered/ image.dd
This skill can leverage the following tools:
| Tool | Description | URL |
|---|---|---|
| Volatility MCP Server | Memory forensics integration | https://github.com/bornpresident/Volatility-MCP-Server |
| Computer Forensics Skill | General forensics capabilities | Claude Skills Marketplace |
| DeepBits Plugins | Binary analysis for forensics | https://github.com/DeepBitsTechnology/claude-plugins |
windows_artifacts:
evidence_of_execution:
- Prefetch files (*.pf)
- UserAssist registry keys
- ShimCache/AppCompatCache
- AmCache.hve
- SRUM database
file_activity:
- MFT (Master File Table)
- USN Journal
- Jump Lists
- LNK files
- Shellbags
persistence:
- Run/RunOnce registry keys
- Services
- Scheduled Tasks
- Startup folders
- WMI subscriptions
lateral_movement:
- Event logs (Security, System)
- RDP bitmap cache
- Network connections
- Authentication logs
This skill integrates with the following processes:
malware-analysis.js - Post-incident malware forensicsthreat-intelligence-research.js - IOC extractionred-team-operations.js - Post-operation analysisWhen executing operations, provide structured output:
{
"investigation_id": "INC-2024-0042",
"evidence_source": "memory.dmp",
"analysis_type": "memory_forensics",
"timestamp": "2026-01-24T10:30:00Z",
"findings": {
"suspicious_processes": [
{
"pid": 4512,
"name": "svchost.exe",
"path": "C:\\Windows\\Temp\\svchost.exe",
"parent_pid": 1,
"anomaly": "unusual_path"
}
],
"network_connections": [
{
"pid": 4512,
"local_addr": "192.168.1.100:49152",
"remote_addr": "185.123.45.67:443",
"state": "ESTABLISHED"
}
],
"injected_code": [
{
"pid": 4512,
"address": "0x7ff12340000",
"protection": "PAGE_EXECUTE_READWRITE"
}
]
},
"iocs_extracted": {
"ip_addresses": ["185.123.45.67"],
"domains": ["malware.example.com"],
"file_hashes": ["abc123..."],
"mutex_names": ["Global\\XYZMutex"]
},
"timeline_entries": [
{
"timestamp": "2024-01-15T08:23:45Z",
"event": "process_creation",
"details": "svchost.exe spawned from cmd.exe"
}
],
"recommendations": [
"Isolate affected system",
"Block C2 IP addresses",
"Scan for lateral movement"
]
}
Activates when the user asks about AI prompts, needs prompt templates, wants to search for prompts, or mentions prompts.chat. Use for discovering, retrieving, and improving prompts.
Search, retrieve, and install Agent Skills from the prompts.chat registry using MCP tools. Use when the user asks to find skills, browse skill catalogs, install a skill for Claude, or extend Claude's capabilities with reusable AI agent components.
This skill should be used when the user asks to "create an agent", "add an agent", "write a subagent", "agent frontmatter", "when to use description", "agent examples", "agent tools", "agent colors", "autonomous agent", or needs guidance on agent structure, system prompts, triggering conditions, or agent development best practices for Claude Code plugins.