pentest-forensicslisted

Digital forensics — evidence acquisition, memory/disk imaging analysis, timeline reconstruction, IOC extraction advisory. Triggers on forensics, DFIR, Volatility, memory analysis, disk image, Autopsy, FTK, timeline, IOC extraction, evidence chain, log analysis.
fatihkan/badi · ★ 5 · AI & Automation · score 76

Install: claude install-skill fatihkan/badi

# pentest-forensics Digital forensics + incident response advisory. Engagement post-exploit analysis, breach investigation, IR support. ## Triggers - "memory dump analysis" - "examine the disk image" - "extract the timeline" - "extract IOCs" - "with Volatility" - "Autopsy / FTK report" - "log correlation" - "evidence chain" ## Evidence Acquisition (Order Matters) ``` 1. Volatile memory (RAM) -> disappears fastest 2. Network state -> active connections, route table 3. Running process -> ps, lsof 4. Disk image -> bit-by-bit copy 5. Log/audit files -> /var/log, Event Viewer 6. Backup + cold storage -> non-volatile ``` **Chain of custody** documentation per acquisition: who, when, which tool, SHA256 hash. ## Memory Acquisition | OS | Tool | Command | |----|------|-------| | Linux | AVML (Microsoft) | `avml memory.lime` | | Linux | LiME (LKM) | `insmod lime.ko "path=/mnt/dump.lime format=lime"` | | Windows | DumpIt / WinPmem | `DumpIt.exe /OUTPUT memory.raw` | | Windows | Magnet RAM Capture | GUI | | macOS | osxpmem | `osxpmem -o memory.aff4 /dev/pmem` | ## Volatility 3 (Memory Forensics) ```bash # Process list vol -f memory.raw windows.pslist # Network connections vol -f memory.raw windows.netscan # Malware detect: hidden process vol -f memory.raw windows.psscan vol -f memory.raw windows.psxview # cross-view # Injected code vol -f memory.raw windows.malfind # Registry keys (from me