Dfir

building-incident-timeline-with-timesketch helps DFIR teams build collaborative incident timelines in Timesketch by ingesting Plaso, CSV, or JSONL evidence, normalizing timestamps, correlating events, and documenting attack chains for incident triage and reporting.

eradicating-malware-from-infected-systems is a cybersecurity incident response skill for removing malware, backdoors, and persistence mechanisms after containment. It includes workflow guidance, reference files, and scripts for Windows and Linux cleanup, credential rotation, root-cause remediation, and validation.

The detecting-wmi-persistence skill helps threat hunters and DFIR analysts detect WMI event subscription persistence in Windows telemetry using Sysmon Event IDs 19, 20, and 21. Use it to identify malicious EventFilter, EventConsumer, and FilterToConsumerBinding activity, validate findings, and separate attacker persistence from benign admin automation.

analyzing-malicious-pdf-with-peepdf is a static malware analysis skill for suspicious PDFs. Use peepdf, pdfid, and pdf-parser to triage phishing attachments, inspect objects, extract embedded JavaScript or shellcode, and review suspicious streams safely without execution.

conducting-memory-forensics-with-volatility helps you analyze RAM dumps with Volatility 3 to find injected code, suspicious processes, network connections, credential theft, and hidden kernel activity. It is a practical conducting-memory-forensics-with-volatility skill for Digital Forensics and incident response triage.

analyzing-windows-prefetch-with-python parses Windows Prefetch (.pf) files with windowsprefetch to reconstruct execution history, flag renamed or masquerading binaries, and support incident triage and malware analysis.

The analyzing-windows-amcache-artifacts skill parses Windows Amcache.hve data to recover evidence of program execution, installed software, device activity, and driver loading for DFIR and security audit workflows. It uses AmcacheParser and regipy-based guidance to support artifact extraction, SHA-1 correlation, and timeline review.

analyzing-mft-for-deleted-file-recovery helps recover deleted-file metadata and possible path or content evidence by analyzing NTFS $MFT records, $LogFile, $UsnJrnl, and MFT slack space. Built for DFIR and Security Audit workflows with MFTECmd, analyzeMFT, and X-Ways Forensics.