creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-12 14:14:56 +03:00
Code Issues Packages Projects Releases Wiki Activity

Add working example output to digital-forensics skills

Browse Source 
Adds realistic example output sections to 10 digital forensics skills.
This commit is contained in:
juliosuas
2026-03-19 03:05:56 -06:00
committed by GitHub
parent 1e98186845
commit cfa57cf8bf
10 changed files with 622 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
skills/analyzing-browser-forensics-with-hindsight/SKILL.md
+57
View File
@@ -213,3 +213,60 @@ if __name__ == "__main__":
- Chrome Forensics Guide: https://allenace.medium.com/hindsight-chrome-forensics-made-simple-425db99fa5ed
- Browser Forensics Tools: https://www.cyberforensicacademy.com/blog/browser-forensics-tools-how-to-extract-user-activity
- Chromium Source (History): https://source.chromium.org/chromium/chromium/src/+/main:components/history/
## Example Output
```text
$ python hindsight.py -i /evidence/chrome-profile -o /analysis/hindsight_output
Hindsight v2024.01 - Chrome/Chromium Browser Forensic Analysis
================================================================
Profile: /evidence/chrome-profile (Chrome 120.0.6099.130)
OS: Windows 10
[+] Parsing History database...
URL records: 12,456
Download records: 234
Search terms: 567
[+] Parsing Cookies database...
Cookie records: 8,923
Encrypted cookies: 6,712
[+] Parsing Web Data (Autofill)...
Autofill entries: 1,234
Credit card entries: 2 (encrypted)
[+] Parsing Login Data...
Saved credentials: 45 (encrypted)
[+] Parsing Bookmarks...
Bookmark entries: 189
--- Browsing History (Last 10 Entries) ---
Timestamp (UTC) | URL | Title | Visit Count
2024-01-15 14:32:05.123 | https://mail.corporate.com/inbox | Corporate Mail | 45
2024-01-15 14:33:12.456 | https://drive.google.com/file/d/1aBcDe... | Q4_Financial_Report.xlsx | 1
2024-01-15 14:35:44.789 | https://mega.nz/folder/xYz123 | MEGA - Secure Cloud | 3
2024-01-15 14:36:01.234 | https://mega.nz/folder/xYz123#upload | MEGA - Upload | 8
2024-01-15 14:42:15.567 | https://pastebin.com/raw/kL9mN2pQ | Pastebin (raw) | 1
2024-01-15 15:01:33.890 | https://192.168.1.50:8443/admin | Admin Panel | 12
2024-01-15 15:15:22.111 | https://transfer.sh/upload | transfer.sh | 2
2024-01-15 15:30:45.222 | https://vpn-gateway.corporate.com | VPN Login | 5
2024-01-15 16:00:00.333 | https://whatismyipaddress.com | What Is My IP | 1
2024-01-15 16:05:12.444 | https://protonmail.com/inbox | ProtonMail | 3
--- Downloads (Suspicious) ---
Timestamp (UTC) | Filename | URL Source | Size
2024-01-15 14:33:15.000 | Q4_Financial_Report.xlsm | https://phish-domain.com/docs/report | 245 KB
2024-01-15 14:34:02.000 | update_client.exe | https://cdn.evil-updates.com/client.exe | 1.2 MB
--- Cookies (Session Tokens) ---
Domain | Name | Expires | Secure | HttpOnly
.corporate.com | SESSION_ID | 2024-01-16 14:32 | Yes | Yes
.mega.nz | session | Session | Yes | Yes
.protonmail.com | AUTH-TOKEN | 2024-02-15 00:00 | Yes | Yes
Report saved to: /analysis/hindsight_output/Hindsight_Report.xlsx
```
skills/analyzing-linux-kernel-rootkits/SKILL.md
+70
View File
@@ -40,3 +40,73 @@ Run rkhunter and chkrootkit to detect known rootkit signatures, suspicious files
## Expected Output
JSON report containing detected syscall hooks, hidden kernel modules, modified IDT entries, suspicious /proc discrepancies, and rkhunter findings.
## Example Output
```text
$ sudo python3 rootkit_analyzer.py --memory /evidence/linux-mem.lime --profile Ubuntu2204
Linux Kernel Rootkit Analysis Report
=====================================
Memory Image: /evidence/linux-mem.lime
Kernel Version: 5.15.0-91-generic (Ubuntu 22.04 LTS)
Analysis Time: 2024-01-18 09:15:32 UTC
[+] Scanning syscall table for hooks...
Syscall Table Base: 0xffffffff82200300
Total syscalls checked: 449
HOOKED SYSCALLS DETECTED:
┌─────────┬──────────────────┬──────────────────────┬──────────────────────┐
│ NR │ Syscall │ Expected Address │ Current Address │
├─────────┼──────────────────┼──────────────────────┼──────────────────────┤
│ 0 │ sys_read │ 0xffffffff8139a0e0 │ 0xffffffffc0a12000 │
│ 2 │ sys_open │ 0xffffffff8139b340 │ 0xffffffffc0a12180 │
│ 78 │ sys_getdents64 │ 0xffffffff813f5210 │ 0xffffffffc0a12300 │
│ 62 │ sys_kill │ 0xffffffff8110c4a0 │ 0xffffffffc0a12480 │
└─────────┴──────────────────┴──────────────────────┴──────────────────────┘
WARNING: 4 syscall hooks detected - rootkit behavior confirmed
[+] Checking for hidden kernel modules...
Loaded modules (lsmod): 147
Modules in kobject list: 149
HIDDEN MODULES:
- "netfilter_helper" at 0xffffffffc0a10000 (size: 12288)
- "kworker_sched" at 0xffffffffc0a14000 (size: 8192)
[+] Scanning /proc for discrepancies...
Processes in task_struct list: 234
Processes visible in /proc: 231
HIDDEN PROCESSES:
- PID 31337 cmd: "[kworker/0:3]" (disguised as kernel thread)
- PID 31442 cmd: "rsyslogd" (fake, real rsyslogd is PID 892)
- PID 31500 cmd: "" (unnamed process)
[+] Checking IDT entries...
IDT entries scanned: 256
Modified entries: 0 (clean)
[+] Running rkhunter scan...
Checking for known rootkits: 68 variants checked
Diamorphine rootkit: WARNING - signatures match
System binary checks:
/usr/bin/ps: MODIFIED (SHA-256 mismatch)
/usr/bin/netstat: MODIFIED (SHA-256 mismatch)
/usr/bin/ls: MODIFIED (SHA-256 mismatch)
/usr/sbin/ss: OK
[+] Network analysis...
Hidden connections (not in /proc/net/tcp):
ESTABLISHED 0.0.0.0:0 -> 198.51.100.47:4443 (PID 31337)
ESTABLISHED 0.0.0.0:0 -> 198.51.100.47:8080 (PID 31442)
Summary:
Rootkit Type: Loadable Kernel Module (LKM)
Probable Family: Diamorphine variant
Syscall Hooks: 4 (read, open, getdents64, kill)
Hidden Modules: 2
Hidden Processes: 3
Hidden Connections: 2 (C2: 198.51.100.47)
Modified Binaries: 3 (/usr/bin/ps, netstat, ls)
Risk Level: CRITICAL
```
skills/analyzing-lnk-file-and-jump-list-artifacts/SKILL.md
+71
View File
@@ -189,3 +189,74 @@ Recent research (IEEE 2025) shows that Windows 11 produces different LNK and Jum
- Magnet Forensics LNK Analysis: https://www.magnetforensics.com/blog/forensic-analysis-of-lnk-files/
- Jump Lists Forensics 2025: https://www.cybertriage.com/blog/jump-list-forensics-2025/
- Eric Zimmerman's LECmd/JLECmd: https://ericzimmerman.github.io/
## Example Output
```text
$ LECmd.exe -d "C:\Evidence\Users\jsmith\AppData\Roaming\Microsoft\Windows\Recent" --csv /analysis/lnk_output
LECmd v1.11.0 - LNK File Parser
================================
Processing 47 LNK files...
--- LNK File: Q4_Report.xlsx.lnk ---
Source: C:\Evidence\Users\jsmith\Recent\Q4_Report.xlsx.lnk
Target Path: C:\Users\jsmith\Downloads\Q4_Report.xlsm
Target Created: 2024-01-15 14:33:45 UTC
Target Modified: 2024-01-15 14:33:45 UTC
Target Accessed: 2024-01-15 14:35:12 UTC
File Size: 251,904 bytes
Drive Type: Fixed (C:)
Volume Serial: A4E7-3F21
Machine ID: DESKTOP-J5M1TH
MAC Address: 48:2A:E3:5C:9B:01
--- LNK File: update_client.exe.lnk ---
Source: C:\Evidence\Users\jsmith\Recent\update_client.exe.lnk
Target Path: C:\ProgramData\Updates\update_client.exe
Target Created: 2024-01-15 14:34:02 UTC
Target Modified: 2024-01-15 14:34:02 UTC
Target Accessed: 2024-01-15 14:36:30 UTC
File Size: 1,258,496 bytes
Drive Type: Fixed (C:)
Volume Serial: A4E7-3F21
Machine ID: DESKTOP-J5M1TH
Working Dir: C:\ProgramData\Updates
Arguments: --silent --no-update-check
Run Window: Hidden
======================================================================
$ JLECmd.exe -d "C:\Evidence\Users\jsmith\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations" --csv /analysis/jumplist_output
JLECmd v1.5.0 - Jump List Parser
==================================
Processing 23 AutomaticDestinations files...
--- Application: Microsoft Excel (AppID: 12dc1ea8e34b5a6) ---
Entries: 15
Most Recent:
Entry 0: C:\Users\jsmith\Downloads\Q4_Report.xlsm (2024-01-15 14:35:12 UTC)
Entry 1: \\FILESERV01\Finance\Budget_2024.xlsx (2024-01-14 09:22:30 UTC)
Entry 2: C:\Users\jsmith\Documents\Expenses\Dec2023.xlsx (2024-01-10 16:45:00 UTC)
--- Application: Windows Explorer (AppID: f01b4d95cf55d32a) ---
Entries: 28
Most Recent:
Entry 0: C:\ProgramData\Updates\ (2024-01-15 14:36:25 UTC)
Entry 1: E:\Backup\ (2024-01-15 15:30:00 UTC)
Entry 2: \\FILESERV01\HR\Employees\ (2024-01-15 16:12:45 UTC)
--- Application: cmd.exe (AppID: 9b9cdc69c1c24e2b) ---
Entries: 5
Most Recent:
Entry 0: C:\Windows\System32\cmd.exe (2024-01-15 14:36:00 UTC)
Summary:
Total LNK files processed: 47
Total Jump List entries: 156
Suspicious artifacts: 3 (hidden window execution, USB drive access, network shares)
CSV exported to: /analysis/lnk_output/ and /analysis/jumplist_output/
```
skills/analyzing-mft-for-deleted-file-recovery/SKILL.md
+43
View File
@@ -186,3 +186,46 @@ vssadmin list shadows
- MFT Slack Space Forensic Value: https://www.sygnia.co/blog/the-forensic-value-of-mft-slack-space/
- MFTECmd Documentation: https://ericzimmerman.github.io/
- SANS FOR500: Windows Forensic Analysis
## Example Output
```text
$ MFTECmd.exe -f "C:\Evidence\$MFT" --csv /analysis/mft_output
MFTECmd v1.2.2 - MFT Parser
==============================
Input: C:\Evidence\$MFT (Size: 384 MB)
Total MFT Entries: 395,264
Parsing MFT entries... Done (12.4 seconds)
--- Deleted File Recovery Summary ---
Total Entries: 395,264
Active Files: 245,832
Deleted Files: 149,432
Recoverable: 87,234 (resident data or clusters not reallocated)
Partially Recoverable: 31,456 (some clusters overwritten)
Unrecoverable: 30,742 (all clusters reallocated)
--- Recently Deleted Files (Incident Window: 2024-01-15 to 2024-01-18) ---
MFT Entry | Filename | Path | Size | Deleted (UTC) | Recoverable
----------|-----------------------------------|------------------------------------|-----------|-----------------------|------------
148923 | exfil_tool.exe | C:\ProgramData\Updates\ | 1,258,496 | 2024-01-17 02:45:12 | YES
148924 | exfil_tool.log | C:\ProgramData\Updates\ | 45,312 | 2024-01-17 02:45:14 | YES
149001 | passwords.txt | C:\Users\jsmith\Desktop\ | 2,048 | 2024-01-17 02:50:33 | YES
149150 | scan_results.csv | C:\Users\jsmith\AppData\Local\Temp | 892,416 | 2024-01-17 03:00:01 | PARTIAL
149200 | mimikatz.exe | C:\Windows\Temp\ | 1,250,816 | 2024-01-18 01:15:22 | YES
149201 | sekurlsa.log | C:\Windows\Temp\ | 32,768 | 2024-01-18 01:15:25 | YES
149302 | .bash_history | C:\Users\jsmith\ | 4,096 | 2024-01-18 03:00:00 | NO
149400 | ClearEventLogs.ps1 | C:\Windows\Temp\ | 1,536 | 2024-01-18 03:01:12 | YES
--- $STANDARD_INFORMATION vs $FILE_NAME Timestamp Analysis (Timestomping Detection) ---
MFT Entry | Filename | $SI Created | $FN Created | Delta | Verdict
----------|---------------------|----------------------|----------------------|-----------|----------
148923 | exfil_tool.exe | 2023-06-15 10:00:00 | 2024-01-15 14:34:02 | -214 days | TIMESTOMPED
149200 | mimikatz.exe | 2022-01-01 00:00:00 | 2024-01-16 02:30:15 | -745 days | TIMESTOMPED
Recovered files exported to: /analysis/mft_output/recovered/
Full CSV report: /analysis/mft_output/mft_analysis.csv (395,264 rows)
Timeline CSV: /analysis/mft_output/mft_timeline.csv
```
skills/analyzing-outlook-pst-for-email-forensics/SKILL.md
+83
View File
@@ -239,3 +239,86 @@ Key headers for forensic investigation:
- libpff Documentation: https://github.com/libyal/libpff
- PST File Format Specification: https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-pst/
- SANS Email Forensics: https://www.sans.org/blog/email-forensics/
## Example Output
```text
$ pffexport /evidence/jsmith_archive.pst -t /analysis/pst_output
pffexport 20231205 - libpff PST/OST Export Tool
=================================================
Input: /evidence/jsmith_archive.pst (2.3 GB)
Exporting PST contents...
Folders: 45
Messages: 12,456
Attachments: 3,234
Contacts: 567
Calendar: 234
Tasks: 89
Export completed in 3m 42s.
$ python3 pst_analyzer.py /analysis/pst_output /analysis/email_report
PST Forensic Analysis Report
==============================
Source: jsmith_archive.pst (john.smith@corporate.com)
Date Range: 2023-06-01 to 2024-01-18
--- Mailbox Statistics ---
Total Emails: 12,456
Sent: 4,567
Received: 7,889
With Attachments: 3,234
Deleted (recovered): 234
--- Phishing / Suspicious Emails ---
Email #8923
Date: 2024-01-15 14:30:22 UTC
From: "IT Support" <it-support@c0rporate-help.com>
To: john.smith@corporate.com
Subject: Urgent: Password Reset Required
Headers:
Return-Path: bounce@mail-relay.c0rporate-help.com
X-Originating-IP: 203.0.113.55
Received: from mail-relay.c0rporate-help.com (203.0.113.55)
SPF: FAIL (domain c0rporate-help.com)
DKIM: NONE
DMARC: FAIL
Attachments:
- Password_Reset_Form.xlsm (245 KB) SHA-256: 7a3b8c9d...e1f2a3b4
Body Preview: "Dear Employee, Your password will expire in 24 hours.
Please open the attached form to reset your credentials..."
--- Data Exfiltration Indicators ---
Email #9102
Date: 2024-01-16 03:15:45 UTC
From: john.smith@corporate.com
To: j.smith.personal8842@protonmail.com
Subject: (no subject)
Attachments:
- archive_part1.7z (24.5 MB) - encrypted
- archive_part2.7z (24.5 MB) - encrypted
Email #9103
Date: 2024-01-16 03:18:22 UTC
From: john.smith@corporate.com
To: j.smith.personal8842@protonmail.com
Subject: Re:
Attachments:
- archive_part3.7z (18.2 MB) - encrypted
--- Keyword Hits ---
"confidential": 45 emails
"password": 23 emails
"transfer": 12 emails
"resign": 3 emails
"delete evidence": 1 email (Email #9200, 2024-01-17 22:30:00 UTC)
Summary:
Phishing emails detected: 1 (initial compromise vector)
Suspicious sent emails: 5 (to personal accounts with attachments)
Encrypted attachments: 3 (67.2 MB total - possible exfiltration)
Report: /analysis/email_report/pst_forensic_report.json
```
skills/analyzing-windows-amcache-artifacts/SKILL.md
+48
View File
@@ -16,3 +16,51 @@ license: Apache-2.0
Extract execution evidence from Amcache.hve including application paths,
SHA-1 hashes, timestamps, and publisher metadata for DFIR investigations.
## Example Output
```text
$ AmcacheParser.exe -f "C:\Evidence\Amcache.hve" --csv /analysis/amcache_output
AmcacheParser v1.5.1 - Amcache.hve Parser
============================================
Input: C:\Evidence\Amcache.hve (12.4 MB)
Last Write Time: 2024-01-18 23:59:45 UTC
[+] Parsing File entries... Found: 4,567
[+] Parsing Program entries... Found: 234
[+] Parsing Driver entries... Found: 189
[+] Parsing Device Container entries Found: 45
[+] Parsing Shortcut entries... Found: 312
--- Unassociated File Entries (No Known Publisher) ---
SHA-1 | Path | Name | Size | First Run (UTC) | Publisher
--------------------|-----------------------------------------------|-------------------|-----------|-----------------------|----------
a1b2c3d4e5f6a7b8...| C:\ProgramData\Updates\ | update_client.exe | 1,258,496 | 2024-01-15 14:36:30 | (none)
b2c3d4e5f6a7b8c9...| C:\Windows\Temp\ | mimikatz.exe | 1,250,816 | 2024-01-16 02:30:15 | (none)
c3d4e5f6a7b8c9d0...| C:\Windows\Temp\ | procdump64.exe | 421,376 | 2024-01-16 02:28:00 | Sysinternals
d4e5f6a7b8c9d0e1...| C:\ProgramData\svc\ | updater.exe | 345,088 | 2024-01-15 14:37:00 | (none)
e5f6a7b8c9d0e1f2...| C:\Users\jsmith\AppData\Local\Temp\ | psexec.exe | 834,936 | 2024-01-16 02:40:00 | Sysinternals
f6a7b8c9d0e1f2a3...| C:\Users\jsmith\Downloads\ | netscan.exe | 512,000 | 2024-01-15 15:10:22 | (none)
--- Program Entries (Recently Installed) ---
Name | Version | Publisher | Install Date | Source
------------------------|---------------|------------------------|-----------------|--------
PuTTY | 0.80 | Simon Tatham | 2024-01-14 | MSI
WinSCP | 6.1.2 | Martin Prikryl | 2024-01-14 | MSI
7-Zip | 23.01 | Igor Pavlov | 2024-01-15 | MSI
(Unknown) | (Unknown) | (none) | 2024-01-15 | Manual
--- Driver Entries (Suspicious) ---
Name | SHA-1 | Signer | Install Date
------------------------|---------------------|-----------------------|-------------
WinDivert64.sys | 1a2b3c4d5e6f... | (self-signed) | 2024-01-15
npf.sys | 2b3c4d5e6f7a... | Nmap Project | 2024-01-15
Summary:
Total execution artifacts: 4,567
Unsigned/suspicious entries: 6
Recently installed programs: 4 (2 suspicious)
Suspicious drivers: 2
CSV exported to: /analysis/amcache_output/
```
skills/analyzing-windows-prefetch-with-python/SKILL.md
+51
View File
@@ -37,3 +37,54 @@ Reconstruct chronological execution timeline from all Prefetch files.
## Expected Output
JSON report with execution history, suspicious executables, renamed binary indicators, and timeline reconstruction.
## Example Output
```text
$ python3 prefetch_analyzer.py --dir /evidence/Windows/Prefetch --output /analysis/prefetch_report
Windows Prefetch Analyzer v2.1
================================
Source: /evidence/Windows/Prefetch/
Prefetch Format: Windows 10 (MAM compressed, version 30)
Files Found: 234
--- Execution Timeline (Incident Window: 2024-01-15 to 2024-01-18) ---
Last Executed (UTC) | Run Count | Filename | Hash | Path
------------------------|-----------|-----------------------------|----------|------------------------------------------
2024-01-15 14:33:15 | 1 | Q4_REPORT.XLSM-2A1B3C4D.pf | 2A1B3C4D | C:\Users\jsmith\Downloads\Q4_Report.xlsm
2024-01-15 14:35:44 | 1 | POWERSHELL.EXE-A2B3C4D5.pf | A2B3C4D5 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
2024-01-15 14:36:30 | 3 | UPDATE_CLIENT.EXE-B3C4D5E6.pf| B3C4D5E6| C:\ProgramData\Updates\update_client.exe
2024-01-15 15:10:22 | 1 | NETSCAN.EXE-C4D5E6F7.pf | C4D5E6F7 | C:\Users\jsmith\Downloads\netscan.exe
2024-01-16 02:28:00 | 1 | PROCDUMP64.EXE-D5E6F7A8.pf | D5E6F7A8 | C:\Windows\Temp\procdump64.exe
2024-01-16 02:30:15 | 2 | MIMIKATZ.EXE-E6F7A8B9.pf | E6F7A8B9 | C:\Windows\Temp\mimikatz.exe
2024-01-16 02:40:00 | 4 | PSEXEC.EXE-F7A8B9C0.pf | F7A8B9C0 | C:\Users\jsmith\AppData\Local\Temp\psexec.exe
2024-01-17 02:45:00 | 1 | SDELETE64.EXE-A8B9C0D1.pf | A8B9C0D1 | C:\Windows\Temp\sdelete64.exe
2024-01-18 03:00:45 | 1 | WEVTUTIL.EXE-B9C0D1E2.pf | B9C0D1E2 | C:\Windows\System32\wevtutil.exe
--- Renamed Binary Detection ---
ALERT: UPDATE_CLIENT.EXE loaded DLLs consistent with Cobalt Strike beacon:
Referenced DLLs: wininet.dll, ws2_32.dll, advapi32.dll, dnsapi.dll, netapi32.dll
Volume: \VOLUME{01d94f2a3b5c7d8e-A4E73F21} (C:)
Directories referenced:
C:\ProgramData\Updates\
C:\Windows\System32\
--- Execution Frequency Analysis ---
Most Executed (Top 5):
1. SVCHOST.EXE (267 runs)
2. CHROME.EXE (189 runs)
3. EXPLORER.EXE (156 runs)
4. RUNTIMEBROKER.EXE (134 runs)
5. OUTLOOK.EXE (98 runs)
First-Time Executions (Never seen before incident window):
6 executables first run between 2024-01-15 and 2024-01-18
Summary:
Total prefetch files: 234
Suspicious executables: 6
Renamed binary indicators: 1 (update_client.exe)
Anti-forensics tools: 2 (sdelete64.exe, wevtutil.exe)
JSON report: /analysis/prefetch_report/prefetch_timeline.json
```
skills/analyzing-windows-shellbag-artifacts/SKILL.md
+60 -3
View File
@@ -77,7 +77,7 @@ ShellBagsExplorer.exe
### Proving USB Device Browsing
```
```text
Shellbag Path: My Computer\E:\Confidential\Project_Files
ShellType: Directory (on removable volume)
CreatedOn: 2025-03-15 09:30:00 UTC
@@ -90,7 +90,7 @@ with USBSTOR and MountPoints2 registry entries.
### Detecting Network Share Access
```
```text
Shellbag Path: \\FileServer01\Finance\Q4_Reports
ShellType: Network Location
AccessedOn: 2025-02-20 14:15:00 UTC
@@ -101,7 +101,7 @@ the share has been decommissioned or access revoked.
### Identifying Deleted Folder Knowledge
```
```text
Shellbag Path: C:\Users\suspect\Documents\Exfiltration_Staging
ShellType: Directory
CreatedOn: 2025-01-10 08:00:00 UTC
@@ -126,3 +126,60 @@ created and navigated to this folder.
- SANS Shellbag Forensics: https://www.sans.org/blog/computer-forensic-artifacts-windows-7-shellbags
- Magnet Forensics Shellbag Analysis: https://www.magnetforensics.com/blog/forensic-analysis-of-windows-shellbags/
- ShellBags Explorer: https://ericzimmerman.github.io/
## Example Output
```text
$ SBECmd.exe -d "C:\Evidence\Users\jsmith" --csv /analysis/shellbag_output
SBECmd v2.1.0 - ShellBags Explorer (Command Line)
====================================================
Processing hives for user: jsmith
NTUSER.DAT: C:\Evidence\Users\jsmith\NTUSER.DAT
UsrClass.dat: C:\Evidence\Users\jsmith\AppData\Local\Microsoft\Windows\UsrClass.dat
[+] NTUSER.DAT shellbag entries: 456
[+] UsrClass.dat shellbag entries: 1,234
[+] Total shellbag entries: 1,690
--- Folder Access Timeline (Incident Window) ---
Last Accessed (UTC) | Folder Path | Type | Access Count
------------------------|---------------------------------------------------------|-------------|-------------
2024-01-15 14:34:05 | C:\Users\jsmith\Downloads | File System | 45
2024-01-15 14:36:25 | C:\ProgramData\Updates | File System | 3
2024-01-15 15:05:00 | \\FILESERV01\Finance | Network | 2
2024-01-15 15:12:30 | \\FILESERV01\Finance\Q4_Reports | Network | 1
2024-01-15 15:30:00 | E:\ | Removable | 4
2024-01-15 15:30:45 | E:\Backup | Removable | 3
2024-01-15 15:31:20 | E:\Backup\Corporate_Data | Removable | 2
2024-01-15 16:12:45 | \\FILESERV01\HR\Employees | Network | 1
2024-01-15 16:15:00 | \\FILESERV01\HR\Employees\Records_2024 | Network | 1
2024-01-16 02:35:00 | C:\Windows\Temp | File System | 5
2024-01-17 02:44:00 | C:\ProgramData\svc | File System | 2
2024-01-18 01:10:00 | C:\Users\jsmith\AppData\Local\Temp | File System | 8
--- Network Share Access ---
\\FILESERV01\Finance First: 2023-09-10 Last: 2024-01-15
\\FILESERV01\Finance\Q4_Reports First: 2024-01-15 Last: 2024-01-15 (NEW)
\\FILESERV01\HR\Employees First: 2024-01-15 Last: 2024-01-15 (NEW)
\\DC01\SYSVOL First: 2023-03-15 Last: 2024-01-16 (anomalous access time)
--- Removable Device Access ---
E:\ (USB Drive)
Volume Name: BACKUP_DRIVE
First Accessed: 2024-01-15 15:30:00 UTC
Last Accessed: 2024-01-15 15:45:22 UTC
Folders Browsed: 3 (E:\, E:\Backup, E:\Backup\Corporate_Data)
--- Deleted/No Longer Existing Paths ---
C:\ProgramData\Updates\ (folder deleted, shellbag persists)
C:\ProgramData\svc\ (folder deleted, shellbag persists)
C:\Windows\Temp\tools\ (folder deleted, shellbag persists)
Summary:
Total unique folders accessed: 1,690
Network shares accessed: 4 (2 newly accessed during incident)
Removable media: 1 USB device (data staging suspected)
Deleted folder evidence: 3 paths (anti-forensics indicator)
CSV exported to: /analysis/shellbag_output/
```
skills/performing-cloud-storage-forensic-acquisition/SKILL.md
+66
View File
@@ -253,3 +253,69 @@ def analyze_onedrive_sync_engine(db_path: str) -> list:
- Magnet AXIOM Cloud: https://www.magnetforensics.com/blog/how-to-acquire-and-analyze-cloud-data-with-magnet-axiom/
- AWS Cloud Forensics Framework: https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/cyber-forensics.html
- API-Based Forensic Acquisition of Cloud Drives: https://arxiv.org/abs/1603.06542
## Example Output
```text
$ python3 cloud_forensic_acquire.py --provider google-drive --auth /tokens/gdrive_token.json \
--user jsmith@corporate.com --output /acquisition/gdrive
Cloud Storage Forensic Acquisition Tool v3.2
==============================================
Provider: Google Drive
Account: jsmith@corporate.com
Start Time: 2024-01-19 08:00:15 UTC
Auth Method: Admin SDK (domain-wide delegation)
[+] Enumerating files...
Total files: 2,345
Total folders: 178
Shared with me: 456
Trashed items: 89 (included in acquisition)
Total size: 14.7 GB
[+] Acquiring file contents...
Downloaded: 2,345 / 2,345 [████████████████████████████████] 100%
Errors: 0
Elapsed: 18m 32s
[+] Acquiring metadata...
File metadata: 2,345 entries
Revision history: 8,912 revisions across 1,234 files
Sharing permissions: 3,456 permission entries
Activity log: 12,345 events
[+] Acquiring trashed items...
Recovered: 89 / 89 items (234 MB)
--- Acquisition Log ---
Timestamp (UTC) | Action | File | Size | SHA-256
2024-01-19 08:00:45 | Downloaded | /My Drive/Finance/Q4_Report.xlsm | 245 KB | 7a3b8c9d...
2024-01-19 08:00:46 | Downloaded | /My Drive/Finance/Budget_2024.xlsx | 1.2 MB | 8b4c9d0e...
...
2024-01-19 08:02:12 | Trash-Recovered | /Trash/employee_list_full.csv | 4.5 MB | 9c5d0e1f...
2024-01-19 08:02:13 | Trash-Recovered | /Trash/network_diagram_v3.vsdx | 2.1 MB | 0d6e1f2a...
2024-01-19 08:02:14 | Trash-Recovered | /Trash/credentials_backup.kdbx | 128 KB | 1e7f2a3b...
--- Sharing Analysis ---
Files Shared Externally:
/My Drive/Finance/Q4_Report.xlsm → j.smith.personal8842@protonmail.com (2024-01-16 03:10 UTC)
/My Drive/HR/employee_list_full.csv → j.smith.personal8842@protonmail.com (2024-01-16 03:12 UTC)
/My Drive/IT/network_diagram_v3.vsdx → anonymous (link sharing, 2024-01-16 03:15 UTC)
--- Revision History (Suspicious) ---
File: /My Drive/Finance/Q4_Report.xlsm
Rev 1: 2024-01-10 09:00:00 UTC (245 KB) - Original
Rev 2: 2024-01-15 14:35:00 UTC (248 KB) - Modified (macro added)
Rev 3: 2024-01-16 03:05:00 UTC (245 KB) - Reverted (macro removed - anti-forensics)
Acquisition Summary:
Files acquired: 2,345 (14.7 GB)
Trashed items: 89 (234 MB)
Revisions: 8,912
Chain of custody hash (full archive):
SHA-256: a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2
Output directory: /acquisition/gdrive/
Acquisition log: /acquisition/gdrive/acquisition_log.csv
Completion Time: 2024-01-19 08:18:47 UTC
```
skills/performing-sqlite-database-forensics/SKILL.md
+73
View File
@@ -265,3 +265,76 @@ def decode_mozilla_timestamp(moz_ts: int) -> datetime:
- Belkasoft SQLite Analysis: https://belkasoft.com/sqlite-analysis
- Spyder Forensics SQLite Training: https://www.spyderforensics.com/sqlite-forensic-fundamentals-2025/
- Forensic Analysis of Damaged SQLite Databases: https://www.forensicfocus.com/articles/forensic-analysis-of-damaged-sqlite-databases/
## Example Output
```text
$ python3 sqlite_forensics.py --db /evidence/chrome/Default/History \
--wal /evidence/chrome/Default/History-wal \
--journal /evidence/chrome/Default/History-journal \
--output /analysis/sqlite_report
SQLite Database Forensic Analyzer v2.0
========================================
Database: /evidence/chrome/Default/History
Size: 48.2 MB
SQLite Ver: 3.39.5
Page Size: 4096 bytes
Total Pages: 12,345
Encoding: UTF-8
[+] Analyzing WAL (Write-Ahead Log)...
WAL file: History-wal (2.1 MB)
WAL frames: 512
Checkpointed: No (contains uncommitted data)
Recoverable rows from WAL: 234
[+] Analyzing journal file...
Journal file: History-journal (0 bytes - rolled back)
[+] Scanning for deleted records (freelist pages)...
Freelist pages: 456
Deleted records recovered: 1,892
[+] Analyzing table: urls
Active rows: 12,456
Deleted rows: 1,234 (recovered from freelist)
WAL-only rows: 89
--- Recovered Deleted URLs (Last 10) ---
Row ID | URL | Title | Visit Count | Last Visit (UTC)
-------|--------------------------------------------------|--------------------------|-------------|---------------------
89234 | https://mega.nz/folder/xYz123#key=AbCdEf | MEGA | 5 | 2024-01-16 03:20:00
89235 | https://transfer.sh/abc123/data.7z | transfer.sh | 1 | 2024-01-16 03:25:00
89240 | https://temp-mail.org/en/ | Temp Mail | 3 | 2024-01-15 13:00:00
89241 | https://browserleaks.com/ip | IP Leak Test | 1 | 2024-01-15 12:55:00
89245 | https://www.virustotal.com/gui/file/a1b2c3... | VirusTotal | 2 | 2024-01-15 14:30:00
89250 | https://github.com/gentilkiwi/mimikatz/releases | Mimikatz Releases | 1 | 2024-01-15 16:00:00
89260 | https://raw.githubusercontent.com/.../payload.ps1| GitHub Raw | 1 | 2024-01-15 14:34:00
89270 | https://pastebin.com/edit/kL9mN2pQ | Pastebin - Edit | 2 | 2024-01-15 14:42:00
89280 | https://duckduckgo.com/?q=clear+browser+history | DuckDuckGo | 1 | 2024-01-17 22:00:00
89285 | https://duckduckgo.com/?q=anti+forensics+tools | DuckDuckGo | 1 | 2024-01-17 22:05:00
[+] Analyzing table: downloads
Active rows: 234
Deleted rows: 12 (recovered)
--- Recovered Deleted Downloads ---
Row ID | Filename | URL | Size | Start Time (UTC)
-------|------------------------|----------------------------------------|-----------|---------------------
5012 | payload.ps1 | https://raw.githubusercontent.com/... | 4,096 | 2024-01-15 14:34:00
5015 | mimikatz_trunk.zip | https://github.com/.../releases/... | 1,892,352 | 2024-01-15 16:00:00
5018 | netscan_portable.zip | https://www.softperfect.com/... | 5,242,880 | 2024-01-15 15:05:00
[+] Slack space analysis...
Pages with slack space data: 234
Partial strings recovered: 67 fragments
Summary:
Total records analyzed: 14,578 (active) + 3,126 (deleted/WAL)
Evidence-relevant URLs: 23 (flagged)
Deleted downloads: 12 (3 tool-related)
Anti-forensics evidence: Browser history deletion detected
Report: /analysis/sqlite_report/sqlite_forensics.json
Recovered DB: /analysis/sqlite_report/History_recovered.db
```