Skill

forensics

Analyzes CTF forensics challenges: memory dumps (.vmem .raw .dmp), network captures (.pcap .pcapng), disk images (.dd .E01), file carving using volatility3, binwalk, tshark, sleuthkit scripts.

Bash

Linux

security

cli-tools

npx claudepluginhub mysterionrise/ctf-kit

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Analyze and solve forensics challenges.

Supporting Assets

scripts/check-tools.shscripts/extract-and-analyze.shscripts/run-binwalk.shscripts/run-tshark.shscripts/run-volatility.sh

SKILL.md

Similar Skills

strategic-compact

179.0k

Suggests manual /compact at logical task boundaries in long Claude Code sessions and multi-phase tasks to avoid arbitrary auto-compaction losses.

1 file

ecc

Stats

Stars6

Forks0

Last CommitMar 27, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

CTF Forensics

Analyze and solve forensics challenges.

When to Use

Use this command for challenges involving:

Memory dumps (.vmem, .raw, .dmp)
Network captures (.pcap, .pcapng)
Disk images (.dd, .E01, .raw)
Embedded/hidden files
File carving
Timeline analysis

Bundled Scripts

check-tools.sh — Verify required forensics tools are installed
run-binwalk.sh — Scan and extract embedded files. Outputs JSON with signatures, file types, and extraction suggestions.
run-volatility.sh — Run volatility3 plugins on memory dumps. Outputs JSON with parsed table data and suspicious process detection.
run-tshark.sh — Analyze PCAP files with protocol statistics. Outputs JSON with protocols, conversations, and HTTP/DNS/FTP suggestions.
extract-and-analyze.sh — Multi-step pipeline: binwalk extract → file type each → strings on interesting files → flag search. Chains extraction with analysis automatically.

Instructions

First check tool availability: bash scripts/check-tools.sh
For quick embedded file detection:
```
bash scripts/run-binwalk.sh $ARGUMENTS
bash scripts/run-binwalk.sh <file> --extract    # also extract
```
Read the JSON next_steps object to decide what to do:
- has_archives: true → extract with binwalk -e
- has_executables: true → analyze with strings/disassembler
- has_images: true → check with /ctf-kit:stego
For full extract-and-analyze pipeline (chains binwalk → file → strings):
```
bash scripts/extract-and-analyze.sh <file>
```
This automatically extracts embedded files, identifies their types, searches for flags and secrets, and suggests next skills to use.

For memory dumps:

bash scripts/run-volatility.sh <dump>                    # system info
bash scripts/run-volatility.sh <dump> windows.pslist     # processes
bash scripts/run-volatility.sh <dump> windows.netscan    # network
bash scripts/run-volatility.sh <dump> windows.cmdline    # commands

The JSON output includes parsed table data and flags suspicious processes.

For network captures:
```
bash scripts/run-tshark.sh <pcap>
bash scripts/run-tshark.sh <pcap> "http.request"    # with filter
```
The JSON includes protocol detection (has_http, has_dns, has_tls) with specific extraction commands.

Multi-Step Workflow

The scripts are designed to chain. A typical forensics workflow:

run-binwalk.sh challenge.bin → JSON shows archives inside
extract-and-analyze.sh challenge.bin → extracts and analyzes each file
Based on JSON suggestions, follow up with specific tools

Output Format

All scripts produce === PARSED RESULTS (JSON) === sections. Key fields:

Field	Description
`signatures`	Embedded file signatures found
`file_types`	Types of embedded files
`next_steps`	Boolean flags for what was found
`suggestions`	Actionable next commands

Team Roles

When using /ctf-kit:team-solve with a forensics challenge, the lead spawns 3 specialists:

Role	Teammate Name	Focus	Tools	First Action
File & Disk	`file-carver`	File carving, embedded data extraction, disk image mounting, deleted file recovery, filesystem analysis	binwalk, foremost, `scripts/run-binwalk.sh`, `scripts/extract-and-analyze.sh`	Run extract-and-analyze pipeline on all challenge files
Memory	`memory-analyst`	Volatility3 plugins, process trees, registry hives, command history, DLL injection, malware indicators	volatility3, `scripts/run-volatility.sh`	Run pslist, netscan, cmdline, filescan on memory dump
Network	`network-analyst`	Protocol analysis, stream reconstruction, credential extraction, DNS exfiltration, HTTP object carving	tshark, `scripts/run-tshark.sh`	Run tshark stats, extract HTTP objects, check DNS queries

When to broadcast

File carver: "Extracted N files, found image/pcap/binary inside" — other specialists claim the extracted file
Memory: "Found suspicious process PID with network connection to X" — network analyst filters for that IP
Network: "HTTP POST contains credentials / encoded data" — file carver or memory analyst cross-references
Any: "Found the flag" — immediate broadcast, all stop

Example Usage

/ctf-kit:forensics memory.raw
/ctf-kit:forensics capture.pcap
/ctf-kit:forensics disk.img