Templates
D

Digital Forensics Skill

Computer forensics analysis for incident response and investigation. Guides evidence collection, disk/memory analysis, timeline reconstruction, and chain-of-custody documentation following industry-standard methodologies.

SkillCommunitysecurityv1.0.0MIT
0 views0 copies

Description

This skill provides expertise in digital forensics for incident response investigations. It covers evidence acquisition, disk and memory analysis, network forensics, timeline reconstruction, and proper chain-of-custody documentation. Follows NIST SP 800-86 and SANS DFIR methodologies.

Instructions

  1. Evidence Acquisition: Guide proper forensic image creation and evidence preservation
  2. Analysis: Analyze disk images, memory dumps, log files, and network captures
  3. Timeline Reconstruction: Build event timelines from multiple evidence sources
  4. Reporting: Generate investigation reports suitable for legal proceedings

Rules

  • Always preserve evidence integrity -- work on copies, never originals
  • Document every action taken with timestamps for chain of custody
  • Use write blockers (physical or software) when acquiring disk images
  • Calculate and verify hash values (SHA-256) at every acquisition stage
  • Follow the order of volatility: registers → cache → RAM → disk → network → removable media
  • Never run tools on the live system that modify timestamps or data
  • Assume findings may be used in legal proceedings -- maintain forensic soundness
  • Cross-correlate findings across multiple evidence sources before drawing conclusions

Forensic Workflow

1. Preparation      → Tools, documentation templates, legal authorization
2. Identification    → Scope the incident, identify evidence sources
3. Preservation      → Create forensic images, document chain of custody
4. Analysis          → Examine evidence, build timeline, correlate findings
5. Reporting         → Document findings, conclusions, and methodology

Evidence Acquisition Commands

Disk Imaging

# Create forensic image with dc3dd (hash verification built in)
dc3dd if=/dev/sda of=evidence.dd hash=sha256 log=acquisition.log

# Verify image integrity
sha256sum evidence.dd
# Compare with hash in acquisition.log

Memory Acquisition

# Linux memory dump using LiME
insmod lime.ko "path=/evidence/memory.lime format=lime"

# Windows memory dump using winpmem
winpmem_mini_x64.exe memory.raw

Volatile Data Collection Script

#!/bin/bash
# Collect volatile data in order of volatility
TIMESTAMP=$(date -u '+%Y%m%d_%H%M%S')
OUT="volatile_$TIMESTAMP"
mkdir -p "$OUT"

date -u > "$OUT/collection_time.txt"
who > "$OUT/logged_users.txt"
ps auxf > "$OUT/processes.txt"
netstat -tulnp > "$OUT/network_connections.txt"
lsof -i > "$OUT/open_files_network.txt"
arp -a > "$OUT/arp_cache.txt"
route -n > "$OUT/routing_table.txt"
mount > "$OUT/mounted_filesystems.txt"
last -50 > "$OUT/recent_logins.txt"
sha256sum "$OUT"/* > "$OUT/hashes.txt"

Timeline Analysis Template

| Timestamp (UTC) | Source | Event | Artifact | Notes |
|-----------------|--------|-------|----------|-------|
| 2025-03-15 02:14:33 | Auth Log | Failed SSH login (root) | /var/log/auth.log | Brute force start |
| 2025-03-15 02:17:45 | Auth Log | Successful SSH login (root) | /var/log/auth.log | Compromise |
| 2025-03-15 02:18:02 | Syslog | New crontab entry | /var/log/syslog | Persistence |
| 2025-03-15 02:18:30 | File System | /tmp/.hidden/backdoor created | MFT/inode | Malware dropped |
| 2025-03-15 02:19:11 | Network | Outbound C2 to 185.x.x.x:443 | pcap/netflow | Exfiltration |

Investigation Report Structure

# Forensic Investigation Report

## Case Information
- Case ID: [Unique identifier]
- Investigator: [Name, credentials]
- Date Range: [Start] to [End]
- Authorization: [Legal authority reference]

## Executive Summary
[2-3 paragraph non-technical summary for management/legal]

## Evidence Inventory
| ID | Description | Hash (SHA-256) | Acquired | By |
|----|-------------|----------------|----------|----|

## Findings
### Finding 1: [Title]
- Evidence: [Sources]
- Analysis: [Methodology and tools used]
- Conclusion: [What happened, supported by evidence]

## Timeline of Events
[Chronological event table]

## Conclusions
[Summary of what occurred, attribution if possible, confidence level]

## Recommendations
[Remediation steps, prevention measures]

Examples

"Walk me through collecting volatile evidence from a compromised Linux server"
"Analyze this auth.log for signs of brute force attack"
"Help me build a timeline from these log files and pcap capture"
"Create a chain of custody form for the disk images we acquired"
Community

Reviews

Write a review

No reviews yet. Be the first to review this template!

Similar Templates

/>

Full-Stack Code Reviewer

Comprehensive code review skill that checks for security vulnerabilities, performance issues, accessibility, and best practices across frontend and backend code.

Skill
20
View →
/>

Test Suite Generator

Generates comprehensive test suites with unit tests, integration tests, and edge cases. Supports Jest, Vitest, Pytest, and Go testing.

Skill
00
View →
/>

Pro Architecture Workspace

Battle-tested skill for architectural, decision, making, framework. Includes structured workflows, validation checks, and reusable patterns for development.

Skill
110
View →