mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-12 22:24:56 +03:00

Files

T

mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills

Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders

2026-03-10 21:02:12 +01:00

1.9 KiB

Raw Blame History

API Reference: Analyzing Slack Space and File System Artifacts

The Sleuth Kit (TSK) CLI Tools

blkls - Extract Slack Space

# Extract slack space from partition at offset 2048
blkls -s -o 2048 evidence.dd > slack_space.raw

fls - List Files and Alternate Data Streams

# Recursive file listing with ADS
fls -r -o 2048 evidence.dd

# Filter for ADS entries (lines containing ":")
fls -r -o 2048 evidence.dd | grep ":"

icat - Extract File Content by Inode

# Extract $MFT (inode 0)
icat -o 2048 evidence.dd 0 > MFT

# Extract ADS content
icat -o 2048 evidence.dd 14523:Zone.Identifier

istat - Display Inode Details

istat -o 2048 evidence.dd 14523

analyzeMFT (Python)

pip install analyzeMFT

analyzeMFT.py -f MFT -o mft_output.csv -c

USN Journal Parsing

Record Structure (USN_RECORD_V2)

Offset	Size	Field
0	4	Record length
4	2	Major version
8	8	MFT reference
16	8	Parent MFT reference
32	8	Timestamp (FILETIME)
40	4	Reason flags
56	2	Filename length
58	2	Filename offset

Reason Flags

Flag	Meaning
`0x100`	FILE_CREATE
`0x200`	FILE_DELETE
`0x1000`	RENAME_OLD_NAME
`0x2000`	RENAME_NEW_NAME
`0x80000000`	CLOSE

bulk_extractor

bulk_extractor -o output_dir/ slack_space.raw

MFTECmd (Eric Zimmerman)

MFTECmd.exe -f MFT --csv output/ --csvf mft_analysis.csv
MFTECmd.exe -f UsnJrnl_J --csv output/ --csvf usn_journal.csv

foremost - File Carving

foremost -t jpg,pdf,zip -i slack_space.raw -o carved_files/

References

The Sleuth Kit: https://sleuthkit.org/sleuthkit/
analyzeMFT: https://pypi.org/project/analyzeMFT/
MFTECmd: https://github.com/EricZimmerman/MFTECmd
bulk_extractor: https://github.com/simsong/bulk_extractor

1.9 KiB Raw Blame History

API Reference: Analyzing Slack Space and File System Artifacts

The Sleuth Kit (TSK) CLI Tools

blkls - Extract Slack Space

fls - List Files and Alternate Data Streams

icat - Extract File Content by Inode

istat - Display Inode Details

analyzeMFT (Python)

USN Journal Parsing

Record Structure (USN_RECORD_V2)

Reason Flags

bulk_extractor

MFTECmd (Eric Zimmerman)

foremost - File Carving

References

1.9 KiB

Raw Blame History