Digital Forensics

detecting-lateral-movement-with-zeek is a Zeek-based cybersecurity skill for threat hunting and incident response. It helps detect SMB admin share access, DCE/RPC service creation, NTLM spray, Kerberos anomalies, and suspicious internal transfers using Zeek logs such as conn.log, smb_mapping.log, smb_files.log, dce_rpc.log, ntlm.log, and kerberos.log.

analyzing-windows-shellbag-artifacts helps DFIR analysts interpret Windows Shellbag registry artifacts to reconstruct folder browsing, deleted-folder access, removable media use, and network share activity with SBECmd and ShellBags Explorer. It is a practical analyzing-windows-shellbag-artifacts guide for incident response and forensics.

analyzing-android-malware-with-apktool is a static analysis skill for Android APK malware. It uses apktool, jadx, and androguard to unpack apps, inspect manifests and permissions, recover source-like code, and extract suspicious APIs and IOCs for Malware Analysis.

detecting-rootkit-activity is a Malware Analysis skill for finding rootkit indicators such as hidden processes, hooked system calls, altered kernel structures, hidden modules, and covert network artifacts. It uses cross-view comparison and integrity checks to help validate suspicious hosts when standard tools disagree.

analyzing-usb-device-connection-history helps investigate USB device connection history on Windows using registry hives, event logs, and setupapi.dev.log for Digital Forensics, insider threat work, and incident response. It supports timeline reconstruction, device correlation, and removable-media evidence analysis.

analyzing-browser-forensics-with-hindsight helps Digital Forensics teams analyze Chromium browser artifacts with Hindsight, including history, downloads, cookies, autofill, bookmarks, saved credentials metadata, cache, and extensions. Use it to reconstruct web activity, review timelines, and investigate Chrome, Edge, Brave, and Opera profiles.

analyzing-bootkit-and-rootkit-samples is a malware analysis skill for MBR, VBR, UEFI, and rootkit investigations. Use it to inspect boot sectors, firmware modules, and anti-rootkit indicators when compromise persists below the OS layer. It is suited for analysts who need a practical guide, clear workflow, and evidence-based triage for Malware Analysis.

building-incident-timeline-with-timesketch helps DFIR teams build collaborative incident timelines in Timesketch by ingesting Plaso, CSV, or JSONL evidence, normalizing timestamps, correlating events, and documenting attack chains for incident triage and reporting.

analyzing-malware-persistence-with-autoruns is a Sysinternals Autoruns skill for malware analysis. It helps you inspect Windows persistence in Run keys, services, scheduled tasks, Winlogon, drivers, and WMI, using a repeatable workflow with CSV exports, suspicious-entry review, and report-ready findings.

hunting-advanced-persistent-threats is a threat-hunting skill for detecting APT-style activity across endpoint, network, and memory telemetry. It helps analysts build hypothesis-driven hunts, map findings to MITRE ATT&CK, and turn threat intel into practical queries and investigation steps instead of ad hoc searches.

extracting-windows-event-logs-artifacts helps you extract, parse, and analyze Windows Event Logs (EVTX) for digital forensics, incident response, and threat hunting. It supports structured review of logons, process creation, service installs, scheduled tasks, privilege changes, and log clearing with Chainsaw, Hayabusa, and EvtxECmd.

extracting-memory-artifacts-with-rekall guide for analyzing Windows memory images with Rekall. Learn install and usage patterns to find hidden processes, injected code, suspicious VADs, loaded DLLs, and network activity for Digital Forensics.

The extracting-credentials-from-memory-dump skill helps analyze Windows memory dumps for NTLM hashes, LSA secrets, Kerberos material, and tokens using Volatility 3 and pypykatz workflows. It is built for Digital Forensics and incident response when you need defensible evidence, account impact, and remediation guidance from a valid dump.

extracting-iocs-from-malware-samples skill guide for malware analysis: extract hashes, IPs, domains, URLs, host artifacts, and validation cues from samples for threat intel and detection.

extracting-config-from-agent-tesla-rat skill for Malware Analysis: extract Agent Tesla .NET config, SMTP/FTP/Telegram credentials, keylogger settings, and C2 endpoints with repeatable workflow guidance.

extracting-browser-history-artifacts is a Digital Forensics skill for extracting browser history, cookies, cache, downloads, and bookmarks from Chrome, Firefox, and Edge. Use it to turn browser profile files into timeline-ready evidence with repeatable, case-focused workflow guidance.

eradicating-malware-from-infected-systems is a cybersecurity incident response skill for removing malware, backdoors, and persistence mechanisms after containment. It includes workflow guidance, reference files, and scripts for Windows and Linux cleanup, credential rotation, root-cause remediation, and validation.

The detecting-wmi-persistence skill helps threat hunters and DFIR analysts detect WMI event subscription persistence in Windows telemetry using Sysmon Event IDs 19, 20, and 21. Use it to identify malicious EventFilter, EventConsumer, and FilterToConsumerBinding activity, validate findings, and separate attacker persistence from benign admin automation.

The detecting-stuxnet-style-attacks skill helps defenders detect Stuxnet-like OT and ICS intrusion patterns, including PLC logic tampering, spoofed sensor data, engineering workstation compromise, and IT-to-OT lateral movement. Use it for threat hunting, incident triage, and process-integrity monitoring with protocol, host, and process evidence.

detecting-process-injection-techniques helps analyze suspicious in-memory activity, validate EDR alerts, and identify process hollowing, APC injection, thread hijacking, reflective loading, and classic DLL injection for Security Audit and malware triage.

detecting-arp-poisoning-in-network-traffic helps detect ARP spoofing in live traffic or PCAPs using ARPWatch, Dynamic ARP Inspection, Wireshark, and Python checks. Built for incident response, SOC triage, and repeatable analysis of IP-to-MAC changes, gratuitous ARPs, and MITM indicators.

analyzing-outlook-pst-for-email-forensics is a digital forensics skill for examining Outlook PST and OST files for message content, headers, attachments, deleted items, timestamps, and metadata. It supports email evidence review, timeline reconstruction, and defensible investigation workflows for incident response and legal cases.

analyzing-packed-malware-with-upx-unpacker is a malware-analysis skill for identifying UPX-packed samples, handling modified UPX headers, and recovering the original executable for static review in Ghidra or IDA. Use it when `upx -d` fails or when you need a faster UPX packer check and unpacking workflow.

analyzing-network-traffic-for-incidents helps incident responders analyze PCAPs, flow logs, and packet captures to confirm C2, lateral movement, exfiltration, and exploitation attempts. Built for analyzing-network-traffic-for-incidents for Incident Response with Wireshark, Zeek, and NetFlow-style investigation.