Forensics

analyzing-usb-device-connection-history helps investigate USB device connection history on Windows using registry hives, event logs, and setupapi.dev.log for Digital Forensics, insider threat work, and incident response. It supports timeline reconstruction, device correlation, and removable-media evidence analysis.

analyzing-browser-forensics-with-hindsight helps Digital Forensics teams analyze Chromium browser artifacts with Hindsight, including history, downloads, cookies, autofill, bookmarks, saved credentials metadata, cache, and extensions. Use it to reconstruct web activity, review timelines, and investigate Chrome, Edge, Brave, and Opera profiles.

analyzing-bootkit-and-rootkit-samples is a malware analysis skill for MBR, VBR, UEFI, and rootkit investigations. Use it to inspect boot sectors, firmware modules, and anti-rootkit indicators when compromise persists below the OS layer. It is suited for analysts who need a practical guide, clear workflow, and evidence-based triage for Malware Analysis.

building-incident-timeline-with-timesketch helps DFIR teams build collaborative incident timelines in Timesketch by ingesting Plaso, CSV, or JSONL evidence, normalizing timestamps, correlating events, and documenting attack chains for incident triage and reporting.

analyzing-supply-chain-malware-artifacts is a malware-analysis skill for tracing trojanized updates, poisoned dependencies, and build-pipeline tampering. Use it to compare trusted and untrusted artifacts, extract indicators, assess compromise scope, and report findings with less guesswork.

analyzing-ransomware-payment-wallets is a read-only blockchain-forensics skill for tracing ransomware payment wallets, following fund movement, and clustering related addresses for Security Audit and incident response. Use it when you have a BTC address, tx hash, or suspected wallet and need evidence-backed attribution support.

analyzing-ransomware-encryption-mechanisms skill for malware analysis, focused on identifying ransomware encryption, key handling, and decryption feasibility. Use it to inspect AES, RSA, ChaCha20, hybrid schemes, and implementation flaws that may support recovery.

analyzing-ransomware-leak-site-intelligence helps monitor ransomware data leak sites, extract victim and group signals, and produce structured threat intelligence for incident response, sector risk review, and adversary tracking.

extracting-windows-event-logs-artifacts helps you extract, parse, and analyze Windows Event Logs (EVTX) for digital forensics, incident response, and threat hunting. It supports structured review of logons, process creation, service installs, scheduled tasks, privilege changes, and log clearing with Chainsaw, Hayabusa, and EvtxECmd.

extracting-memory-artifacts-with-rekall guide for analyzing Windows memory images with Rekall. Learn install and usage patterns to find hidden processes, injected code, suspicious VADs, loaded DLLs, and network activity for Digital Forensics.

The extracting-credentials-from-memory-dump skill helps analyze Windows memory dumps for NTLM hashes, LSA secrets, Kerberos material, and tokens using Volatility 3 and pypykatz workflows. It is built for Digital Forensics and incident response when you need defensible evidence, account impact, and remediation guidance from a valid dump.

extracting-browser-history-artifacts is a Digital Forensics skill for extracting browser history, cookies, cache, downloads, and bookmarks from Chrome, Firefox, and Edge. Use it to turn browser profile files into timeline-ready evidence with repeatable, case-focused workflow guidance.

eradicating-malware-from-infected-systems is a cybersecurity incident response skill for removing malware, backdoors, and persistence mechanisms after containment. It includes workflow guidance, reference files, and scripts for Windows and Linux cleanup, credential rotation, root-cause remediation, and validation.

analyzing-linux-kernel-rootkits helps DFIR and threat-hunting workflows detect Linux kernel rootkits with Volatility3 cross-view checks, rkhunter scans, and /proc vs /sys analysis for hidden modules, hooked syscalls, and tampered kernel structures. It is a practical analyzing-linux-kernel-rootkits guide for forensic triage.

analyzing-linux-elf-malware helps analyze suspicious Linux ELF binaries for malware analysis, with guidance for architecture checks, strings, imports, static triage, and early indicators of botnets, miners, rootkits, ransomware, and container threats.

conducting-memory-forensics-with-volatility helps you analyze RAM dumps with Volatility 3 to find injected code, suspicious processes, network connections, credential theft, and hidden kernel activity. It is a practical conducting-memory-forensics-with-volatility skill for Digital Forensics and incident response triage.

conducting-malware-incident-response helps IR teams triage suspected malware, confirm infections, scope spread, contain endpoints, and support eradication and recovery. It is designed for conducting-malware-incident-response for Incident Response workflows with evidence-backed steps, telemetry-driven decisions, and practical containment guidance.

conducting-cloud-incident-response is a cloud incident response skill for AWS, Azure, and GCP. It focuses on identity-based containment, log review, resource isolation, and forensic evidence capture. Use it for suspicious API activity, compromised access keys, or cloud-hosted workload breaches when you need a practical conducting-cloud-incident-response guide.

analyzing-windows-registry-for-artifacts helps analysts extract evidence from Windows Registry hives to identify user activity, installed software, autoruns, USB history, and compromise indicators for incident response or Security Audit workflows.

The analyzing-windows-amcache-artifacts skill parses Windows Amcache.hve data to recover evidence of program execution, installed software, device activity, and driver loading for DFIR and security audit workflows. It uses AmcacheParser and regipy-based guidance to support artifact extraction, SHA-1 correlation, and timeline review.

analyzing-uefi-bootkit-persistence helps investigate UEFI-level persistence, including SPI flash implants, ESP tampering, Secure Boot bypasses, and suspicious UEFI variable changes. It is built for firmware triage, incident response, and analyzing-uefi-bootkit-persistence for Security Audit work with practical, evidence-driven guidance.

analyzing-powershell-empire-artifacts skill helps Security Audit teams detect PowerShell Empire artifacts in Windows logs using Script Block Logging, Base64 launcher patterns, stager IOCs, module signatures, and detection references for triage and rule writing.

analyzing-powershell-script-block-logging skill for parsing Windows PowerShell Script Block Logging Event ID 4104 from EVTX files, reconstructing split script blocks, and flagging obfuscated commands, encoded payloads, Invoke-Expression abuse, download cradles, and AMSI bypass attempts for Security Audit work.

analyzing-pdf-malware-with-pdfid is a PDF malware triage skill for detecting embedded JavaScript, exploit markers, object streams, attachments, and suspicious actions before opening a file. It supports static analysis for malicious PDF investigation, incident response, and analyzing-pdf-malware-with-pdfid for Security Audit workflows.