mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-05 23:38:57 +03:00
Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
This commit is contained in:
@@ -0,0 +1,62 @@
|
||||
# API Reference: Performing Disk Forensics Investigation
|
||||
|
||||
## pytsk3 Library (The Sleuth Kit Python Bindings)
|
||||
|
||||
| Class/Method | Description |
|
||||
|--------------|-------------|
|
||||
| `pytsk3.Img_Info(path)` | Open disk image (raw, E01, AFF) |
|
||||
| `pytsk3.FS_Info(img_info)` | Parse file system from image |
|
||||
| `fs.open_dir(path)` | Open directory for listing |
|
||||
| `fs.open_file(path)` | Open file for reading content |
|
||||
| `entry.info.meta` | Access file metadata (timestamps, size, flags) |
|
||||
| `TSK_FS_META_FLAG_UNALLOC` | Flag indicating deleted/unallocated file |
|
||||
|
||||
## File Metadata Fields
|
||||
|
||||
| Field | Description |
|
||||
|-------|-------------|
|
||||
| `meta.crtime` | File creation time (NTFS) |
|
||||
| `meta.mtime` | Last modification time |
|
||||
| `meta.atime` | Last access time |
|
||||
| `meta.ctime` | Metadata change time |
|
||||
| `meta.size` | File size in bytes |
|
||||
| `meta.addr` | Inode/MFT entry number |
|
||||
| `meta.flags` | Allocation flags |
|
||||
|
||||
## NTFS MFT Structure
|
||||
|
||||
| Offset | Size | Description |
|
||||
|--------|------|-------------|
|
||||
| 0x00 | 4 bytes | Signature ("FILE") |
|
||||
| 0x16 | 2 bytes | Flags (in-use, directory) |
|
||||
| 0x1C | 4 bytes | Real size of MFT entry |
|
||||
|
||||
## Key Libraries
|
||||
|
||||
- **pytsk3** (`pip install pytsk3`): Python bindings for The Sleuth Kit
|
||||
- **dfvfs** (`pip install dfvfs`): Digital Forensics Virtual File System
|
||||
- **hashlib** (stdlib): Image integrity verification (MD5, SHA-256)
|
||||
- **struct** (stdlib): Parse binary MFT entry headers
|
||||
|
||||
## CLI Tools (Reference)
|
||||
|
||||
| Tool | Description |
|
||||
|------|-------------|
|
||||
| `fls -r image.dd` | Recursively list files (TSK) |
|
||||
| `icat image.dd inode` | Extract file by inode number |
|
||||
| `mmls image.dd` | List disk partitions |
|
||||
| `fsstat image.dd` | File system statistics |
|
||||
|
||||
## Configuration
|
||||
|
||||
| Variable | Description |
|
||||
|----------|-------------|
|
||||
| Image path | Path to forensic disk image (dd, E01, AFF) |
|
||||
| MFT export | Exported $MFT file for NTFS-specific analysis |
|
||||
|
||||
## References
|
||||
|
||||
- [The Sleuth Kit](https://www.sleuthkit.org/)
|
||||
- [pytsk3 Documentation](https://github.com/py4n6/pytsk)
|
||||
- [Autopsy Digital Forensics](https://www.autopsy.com/)
|
||||
- [SANS Forensics Poster](https://www.sans.org/posters/windows-forensic-analysis/)
|
||||
Reference in New Issue
Block a user