incident-forensics
You are incident-forensics - a specialized skill for digital forensics and incident response, providing capabilities for memory analysis, filesystem forensics, timeline creation, and evidence collection.
Overview
This skill enables AI-powered forensic operations including:
- Analyzing memory dumps with Volatility 3
- Parsing filesystem artifacts (MFT, USN Journal, Prefetch)
- Extracting browser forensics (history, cookies, cache)
- Analyzing Windows event logs
- Creating comprehensive forensic timelines
- Recovering deleted files and data carving
- Analyzing registry hives
- Generating forensic investigation reports
Prerequisites
- Volatility 3: Memory forensics framework
- Sleuth Kit/Autopsy: Filesystem forensics
- Log2Timeline/Plaso: Timeline generation
- KAPE: Evidence collection
- Python forensics libraries: yara-python, pefile, etc.
IMPORTANT: Evidence Integrity
This skill is designed for authorized forensic investigations. All operations must:
- Preserve evidence integrity (chain of custody)
- Work on forensic copies, never original evidence
- Document all actions taken during analysis
- Follow legal and organizational requirements
Capabilities
1. Memory Forensics with Volatility 3
Analyze memory dumps for malware and incident artifacts:
# Identify memory image profile
vol -f memory.dmp windows.info
# Process listing
vol -f memory.dmp windows.pslist
vol -f memory.dmp windows.pstree
vol -f memory.dmp windows.psscan
# Network connections
vol -f memory.dmp windows.netstat
vol -f memory.dmp windows.netscan
# DLL analysis
vol -f memory.dmp windows.dlllist --pid 1234
vol -f memory.dmp windows.malfind
# Command line arguments
vol -f memory.dmp windows.cmdline
# Registry hives
vol -f memory.dmp windows.registry.hivelist
vol -f memory.dmp windows.registry.printkey --key "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
# Dump suspicious processes
vol -f memory.dmp windows.memmap --pid 1234 --dump
# File scanning
vol -f memory.dmp windows.filescan
vol -f memory.dmp windows.dumpfiles --pid 1234
2. Advanced Memory Analysis
# Detect injected code
vol -f memory.dmp windows.malfind
# Extract embedded executables
vol -f memory.dmp windows.vadinfo --pid 1234
vol -f memory.dmp windows.procdump --pid 1234 --dump-dir ./dumps/
# Detect API hooking
vol -f memory.dmp windows.ssdt
vol -f memory.dmp windows.callbacks
# Credential extraction (authorized testing only)
vol -f memory.dmp windows.hashdump
vol -f memory.dmp windows.lsadump
# Timeline from memory
vol -f memory.dmp timeliner.Timeliner --create-bodyfile
# YARA scanning
vol -f memory.dmp windows.vadyarascan --yara-file malware_rules.yar
3. Filesystem Forensics with Sleuth Kit
Analyze disk images and filesystems:
# Image information
img_stat image.dd
mmls image.dd # Partition layout
# Filesystem info
fsstat -o 2048 image.dd
# List files and directories
fls -r -o 2048 image.dd
# Extract file by inode
icat -o 2048 image.dd 12345 > extracted_file.bin
# Timeline creation
fls -r -m "/" -o 2048 image.dd > bodyfile.txt
mactime -b bodyfile.txt -d > timeline.csv
# File recovery
tsk_recover -o 2048 image.dd ./recovered/
# Search for specific file types
sigfind -t image.dd # Find signature matches
# MFT analysis
icat -o 2048 image.dd 0 > $MFT
4. Windows Artifact Analysis
Parse Windows-specific artifacts:
# Prefetch analysis
python3 -c "
import prefetch
from pathlib import Path
for pf_file in Path('/evidence/Prefetch/').glob('*.pf'):
pf = prefetch.Prefetch(pf_file)
print(f'Executable: {pf.executable_name}')
print(f'Run count: {pf.run_count}')
print(f'Last run: {pf.last_run_time}')
print(f'Files accessed:')
for f in pf.files_accessed:
print(f' {f}')
print()
"
# LNK file analysis
python3 -c "
import lnk
from pathlib import Path
lnk_file = lnk.lnk('/evidence/Recent/document.lnk')
print(f'Target: {lnk_file.target_file}')
print(f'Working dir: {lnk_file.working_dir}')
print(f'Created: {lnk_file.creation_time}')
print(f'Modified: {lnk_file.modification_time}')
print(f'Accessed: {lnk_file.access_time}')
"
# Jump list analysis
python3 JumpListParser.py --input /evidence/AutomaticDestinations/
# USN Journal parsing
usn.py /evidence/$UsnJrnl:$J --csv > usn_journal.csv
5. Windows Event Log Analysis
Parse and analyze Windows event logs:
# Convert EVTX to XML/JSON
python3 -c "
from evtx import PyEvtxParser
parser = PyEvtxParser('/evidence/Security.evtx')
for record in parser.records():
print(record['data'])
"
# Filter security events
python3 -c "
from evtx import PyEvtxParser
import json
# Interesting Event IDs
LOGON_SUCCESS = 4624
LOGON_FAILURE = 4625
ACCOUNT_CREATED = 4720
SERVICE_INSTALLED = 7045
SCHEDULED_TASK = 4698
parser = PyEvtxParser('/evidence/Security.evtx')
for record in parser.records():
data = record['data']
# Parse and filter events
# Extract timestamp, event ID, account name, etc.
"
# PowerShell log analysis
# Event ID 4104 - Script Block Logging
python3 parse_powershell_logs.py /evidence/PowerShell-Operational.evtx
# Common attack indicators
# - 4688: Process creation (if auditing enabled)
# - 4697: Service installation
# - 1102: Audit log cleared
# - 4698-4702: Scheduled task events
6. Browser Forensics
Extract browser artifacts:
# Chrome history analysis
python3 -c "
import sqlite3
import datetime
# Chrome History database
conn = sqlite3.connect('/evidence/Chrome/History')
cursor = conn.cursor()
# URL history
cursor.execute('''
SELECT url, title, visit_count,
datetime(last_visit_time/1000000-11644473600, 'unixepoch') as visit_time
FROM urls
ORDER BY last_visit_time DESC
''')
for row in cursor.fetchall():
print(f'{row[3]} | {row[0]} | Visits: {row[2]}')
# Downloads
cursor.execute('''
SELECT target_path, tab_url,
datetime(start_time/1000000-11644473600, 'unixepoch') as download_time
FROM downloads
''')
for row in cursor.fetchall():
print(f'{row[2]} | {row[0]} | From: {row[1]}')
"
# Firefox forensics
python3 -c "
import sqlite3
conn = sqlite3.connect('/evidence/Firefox/places.sqlite')
cursor = conn.cursor()
# History
cursor.execute('''
SELECT url, title, visit_count,
datetime(last_visit_date/1000000, 'unixepoch')
FROM moz_places
WHERE visit_count > 0
ORDER BY last_visit_date DESC
''')
for row in cursor.fetchall():
print(row)
"
# Cookie analysis
python3 -c "
import sqlite3
conn = sqlite3.connect('/evidence/Chrome/Cookies')
cursor = conn.cursor()
cursor.execute('SELECT host_key, name, value, expires_utc FROM cookies')
for row in cursor.fetchall():
print(f'{row[0]}: {row[1]}={row[2]}')
"
7. Timeline Creation with Plaso
Generate comprehensive forensic timelines:
# Parse evidence with log2timeline
log2timeline.py --storage-file timeline.plaso /evidence/
# Create timeline output
psort.py -o l2tcsv -w timeline.csv timeline.plaso
# Filter timeline by date range
psort.py -o l2tcsv -w filtered.csv timeline.plaso \
"date > '2024-01-01' AND date < '2024-01-31'"
# Filter by specific artifact types
psort.py -o l2tcsv -w prefetch.csv timeline.plaso \
"parser contains 'prefetch'"
# Create timeline for specific user
psort.py -o l2tcsv -w user_timeline.csv timeline.plaso \
"username contains 'jsmith'"
8. Registry Analysis
Parse and analyze Windows registry hives:
# Registry Explorer (Python)
python3 -c "
from Registry import Registry
# NTUSER.DAT - User settings
reg = Registry.Registry('/evidence/NTUSER.DAT')
# Recent documents
recent = reg.open('Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RecentDocs')
for value in recent.values():
print(f'{value.name()}: {value.value()}')
# UserAssist - Program execution
userassist = reg.open('Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\UserAssist')
for sub