creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-12 06:04:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/performing-disk-forensics-investigation/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

63 lines
2.1 KiB
Markdown
Raw Blame History

# API Reference: Performing Disk Forensics Investigation
## pytsk3 Library (The Sleuth Kit Python Bindings)
| Class/Method | Description |
|--------------|-------------|
| `pytsk3.Img_Info(path)` | Open disk image (raw, E01, AFF) |
| `pytsk3.FS_Info(img_info)` | Parse file system from image |
| `fs.open_dir(path)` | Open directory for listing |
| `fs.open_file(path)` | Open file for reading content |
| `entry.info.meta` | Access file metadata (timestamps, size, flags) |
| `TSK_FS_META_FLAG_UNALLOC` | Flag indicating deleted/unallocated file |
## File Metadata Fields
| Field | Description |
|-------|-------------|
| `meta.crtime` | File creation time (NTFS) |
| `meta.mtime` | Last modification time |
| `meta.atime` | Last access time |
| `meta.ctime` | Metadata change time |
| `meta.size` | File size in bytes |
| `meta.addr` | Inode/MFT entry number |
| `meta.flags` | Allocation flags |
## NTFS MFT Structure
| Offset | Size | Description |
|--------|------|-------------|
| 0x00 | 4 bytes | Signature ("FILE") |
| 0x16 | 2 bytes | Flags (in-use, directory) |
| 0x1C | 4 bytes | Real size of MFT entry |
## Key Libraries
- **pytsk3** (`pip install pytsk3`): Python bindings for The Sleuth Kit
- **dfvfs** (`pip install dfvfs`): Digital Forensics Virtual File System
- **hashlib** (stdlib): Image integrity verification (MD5, SHA-256)
- **struct** (stdlib): Parse binary MFT entry headers
## CLI Tools (Reference)
| Tool | Description |
|------|-------------|
| `fls -r image.dd` | Recursively list files (TSK) |
| `icat image.dd inode` | Extract file by inode number |
| `mmls image.dd` | List disk partitions |
| `fsstat image.dd` | File system statistics |
## Configuration
| Variable | Description |
|----------|-------------|
| Image path | Path to forensic disk image (dd, E01, AFF) |
| MFT export | Exported $MFT file for NTFS-specific analysis |
## References
- [The Sleuth Kit](https://www.sleuthkit.org/)
- [pytsk3 Documentation](https://github.com/py4n6/pytsk)
- [Autopsy Digital Forensics](https://www.autopsy.com/)
- [SANS Forensics Poster](https://www.sans.org/posters/windows-forensic-analysis/)
Reference in New Issue View Git Blame Copy Permalink