Anthropic-Cybersecurity-Skills/skills/performing-endpoint-forensics-investigation/references/workflows.md

Workflows

Workflow 1: Endpoint Forensic Investigation

[Incident Detected / Investigation Authorized]
    │
    ▼
[Preserve Evidence (Order of Volatility)]
    │
    ├── 1. Capture memory (WinPMEM/FTK Imager)
    ├── 2. Capture volatile data (processes, network, users)
    ├── 3. Create forensic disk image (E01/dd)
    ├── 4. Hash all evidence, document chain of custody
    │
    ▼
[Analysis Phase]
    │
    ├── Memory analysis (Volatility 3)
    ├── Artifact parsing (KAPE + EZ tools)
    ├── Timeline reconstruction (plaso)
    ├── Malware analysis (if samples found)
    │
    ▼
[Correlate Findings]
    │
    ├── Initial access vector identified
    ├── Persistence mechanisms documented
    ├── Scope of compromise determined
    │
    ▼
[Generate IOCs and Report]
    │
    ▼
[Handoff to Remediation Team]

Workflow 2: Memory Analysis

[Memory dump acquired]
    │
    ▼
[Identify OS profile: vol windows.info]
    │
    ▼
[Process analysis: pslist → pstree → psscan]
    │
    ├── Hidden processes found ──► [Analyze with malfind, dlllist]
    │
    ▼
[Network analysis: netscan]
    │
    ├── Suspicious connections ──► [Extract IOCs (IPs, domains)]
    │
    ▼
[Injection detection: malfind]
    │
    ├── Injected code found ──► [Dump and analyze with YARA]
    │
    ▼
[Credential analysis: hashdump, lsadump]
    │
    ▼
[Document all findings with screenshots and hashes]