creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-12 22:24:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/analyzing-slack-space-and-file-system-artifacts/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

96 lines
1.9 KiB
Markdown
Raw Blame History

# API Reference: Analyzing Slack Space and File System Artifacts
## The Sleuth Kit (TSK) CLI Tools
### blkls - Extract Slack Space
```bash
# Extract slack space from partition at offset 2048
blkls -s -o 2048 evidence.dd > slack_space.raw
```
### fls - List Files and Alternate Data Streams
```bash
# Recursive file listing with ADS
fls -r -o 2048 evidence.dd
# Filter for ADS entries (lines containing ":")
fls -r -o 2048 evidence.dd | grep ":"
```
### icat - Extract File Content by Inode
```bash
# Extract $MFT (inode 0)
icat -o 2048 evidence.dd 0 > MFT
# Extract ADS content
icat -o 2048 evidence.dd 14523:Zone.Identifier
```
### istat - Display Inode Details
```bash
istat -o 2048 evidence.dd 14523
```
## analyzeMFT (Python)
```bash
pip install analyzeMFT
analyzeMFT.py -f MFT -o mft_output.csv -c
```
## USN Journal Parsing
### Record Structure (USN_RECORD_V2)
| Offset | Size | Field |
|--------|------|-------|
| 0 | 4 | Record length |
| 4 | 2 | Major version |
| 8 | 8 | MFT reference |
| 16 | 8 | Parent MFT reference |
| 32 | 8 | Timestamp (FILETIME) |
| 40 | 4 | Reason flags |
| 56 | 2 | Filename length |
| 58 | 2 | Filename offset |
### Reason Flags
| Flag | Meaning |
|------|---------|
| `0x100` | FILE_CREATE |
| `0x200` | FILE_DELETE |
| `0x1000` | RENAME_OLD_NAME |
| `0x2000` | RENAME_NEW_NAME |
| `0x80000000` | CLOSE |
## bulk_extractor
```bash
bulk_extractor -o output_dir/ slack_space.raw
```
## MFTECmd (Eric Zimmerman)
```bash
MFTECmd.exe -f MFT --csv output/ --csvf mft_analysis.csv
MFTECmd.exe -f UsnJrnl_J --csv output/ --csvf usn_journal.csv
```
## foremost - File Carving
```bash
foremost -t jpg,pdf,zip -i slack_space.raw -o carved_files/
```
### References
- The Sleuth Kit: https://sleuthkit.org/sleuthkit/
- analyzeMFT: https://pypi.org/project/analyzeMFT/
- MFTECmd: https://github.com/EricZimmerman/MFTECmd
- bulk_extractor: https://github.com/simsong/bulk_extractor
Reference in New Issue View Git Blame Copy Permalink