creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-12 06:04:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/performing-disk-forensics-investigation/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

2.1 KiB
Raw Blame History

API Reference: Performing Disk Forensics Investigation

pytsk3 Library (The Sleuth Kit Python Bindings)

Class/Method Description
pytsk3.Img_Info(path) Open disk image (raw, E01, AFF)
pytsk3.FS_Info(img_info) Parse file system from image
fs.open_dir(path) Open directory for listing
fs.open_file(path) Open file for reading content
entry.info.meta Access file metadata (timestamps, size, flags)
TSK_FS_META_FLAG_UNALLOC Flag indicating deleted/unallocated file

File Metadata Fields

Field Description
meta.crtime File creation time (NTFS)
meta.mtime Last modification time
meta.atime Last access time
meta.ctime Metadata change time
meta.size File size in bytes
meta.addr Inode/MFT entry number
meta.flags Allocation flags

NTFS MFT Structure

Offset Size Description
0x00 4 bytes Signature ("FILE")
0x16 2 bytes Flags (in-use, directory)
0x1C 4 bytes Real size of MFT entry

Key Libraries

  • pytsk3 (pip install pytsk3): Python bindings for The Sleuth Kit
  • dfvfs (pip install dfvfs): Digital Forensics Virtual File System
  • hashlib (stdlib): Image integrity verification (MD5, SHA-256)
  • struct (stdlib): Parse binary MFT entry headers

CLI Tools (Reference)

Tool Description
fls -r image.dd Recursively list files (TSK)
icat image.dd inode Extract file by inode number
mmls image.dd List disk partitions
fsstat image.dd File system statistics

Configuration

Variable Description
Image path Path to forensic disk image (dd, E01, AFF)
MFT export Exported $MFT file for NTFS-specific analysis

References

Reference in New Issue View Git Blame Copy Permalink