explainx.ainewsletter3.4k
performing-endpoint-forensics-investigation

performing-endpoint-forensics-investigation

mukul975/Anthropic-Cybersecurity-Skills · updated May 25, 2026

MDX-style export adds YAML metadata + attribution linking explainx.ai and this canonical listing URL.

$npx skills install mukul975/Anthropic-Cybersecurity-Skills/performing-endpoint-forensics-investigation
0 commentsdiscussion
summary

Performs digital forensics investigation on compromised endpoints including memory acquisition, disk imaging, artifact analysis, and timeline reconstruction. Use when investigating security incidents, collecting evidence for legal proceedings, or analyzing endpoint compromise scope. Activates for requests involving endpoint forensics, memory analysis, disk forensics, or incident investigation.

skill.md
name
performing-endpoint-forensics-investigation
description
'Performs digital forensics investigation on compromised endpoints including memory acquisition, disk imaging, artifact analysis, and timeline reconstruction. Use when investigating security incidents, collecting evidence for legal proceedings, or analyzing endpoint compromise scope. Activates for requests involving endpoint forensics, memory analysis, disk forensics, or incident investigation. '
domain
cybersecurity
subdomain
endpoint-security
tags
- endpoint - forensics - memory-analysis - disk-imaging - incident-investigation - Volatility
version
1.0.0
author
mahipal
license
Apache-2.0
nist_csf
- PR.PS-01 - PR.PS-02 - DE.CM-01 - PR.IR-01

Performing Endpoint Forensics Investigation

When to Use

Use this skill when:

  • Investigating a confirmed or suspected endpoint compromise requiring forensic analysis
  • Collecting volatile and non-volatile evidence for incident response or legal proceedings
  • Analyzing memory dumps for malware, injected code, or credential theft artifacts
  • Reconstructing attacker timelines from endpoint artifacts (prefetch, shimcache, amcache)

Do not use this skill for live threat hunting (use EDR/SIEM) or network forensics.

Prerequisites

  • Forensic workstation with analysis tools (Volatility 3, KAPE, Autopsy, Eric Zimmerman tools)
  • Write-blocker for disk imaging (hardware or software)
  • Secure evidence storage with chain-of-custody documentation
  • Memory acquisition tool (WinPMEM, FTK Imager, Magnet RAM Capture)
  • Administrative access to the target endpoint (or physical access)

Workflow

Step 1: Evidence Preservation (Order of Volatility)

Collect evidence from most volatile to least volatile:

1. System memory (RAM) - Most volatile
2. Network connections and routing tables
3. Running processes and open files
4. Disk contents (file system)
5. Removable media
6. Logs and backup data - Least volatile

Memory Acquisition:

# WinPMEM (Windows)
winpmem_mini_x64.exe memdump.raw

# FTK Imager - Create memory capture via GUI
# File → Capture Memory → Destination path → Capture Memory

# Linux (LiME kernel module)
sudo insmod lime.ko "path=/evidence/memory.lime format=lime"

Volatile Data Collection:

# Capture running processes
Get-Process | Export-Csv "evidence\processes.csv" -NoTypeInformation
tasklist /v > "evidence\tasklist.txt"

# Capture network connections
netstat -anob > "evidence\netstat.txt"
Get-NetTCPConnection | Export-Csv "evidence\tcp_connections.csv"

# Capture logged-on users
query user > "evidence\logged_users.txt"

# Capture scheduled tasks
schtasks /query /fo CSV /v > "evidence\scheduled_tasks.csv"

# Capture services
Get-Service | Export-Csv "evidence\services.csv"

# Capture DNS cache
ipconfig /displaydns > "evidence\dns_cache.txt"

Step 2: Disk Imaging

# FTK Imager - Create forensic disk image
# File → Create Disk Image → Physical Drive → E01 format
# Always verify image hash (MD5/SHA1) matches source

# dd (Linux)
sudo dc3dd if=/dev/sda of=/evidence/disk.dd hash=sha256 log=/evidence/imaging.log

# Verify image integrity
sha256sum /evidence/disk.dd
# Compare with hash generated during imaging

Step 3: Memory Analysis with Volatility 3

# Identify OS profile
vol -f memdump.raw windows.info

# List running processes
vol -f memdump.raw windows.pslist
vol -f memdump.raw windows.pstree

# Find hidden processes
vol -f memdump.raw windows.psscan

# Analyze network connections
vol -f memdump.raw windows.netscan

# Detect process injection
vol -f memdump.raw windows.malfind

# Extract command line arguments
vol -f memdump.raw windows.cmdline

# Analyze DLLs loaded by processes
vol -f memdump.raw windows.dlllist --pid 1234

# Extract files from memory
vol -f memdump.raw windows.filescan | grep -i "suspicious"
vol -f memdump.raw windows.dumpfiles --pid 1234

# Detect credential theft
vol -f memdump.raw windows.hashdump
vol -f memdump.raw windows.lsadump

# Registry analysis from memory
vol -f memdump.raw windows.registry.printkey --key "Software\Microsoft\Windows\CurrentVersion\Run"

Step 4: Windows Artifact Analysis

Key forensic artifacts and their tools:

Prefetch Files (C:\Windows\Prefetch\):
  Tool: PECmd.exe (Eric Zimmerman)
  Shows: Program execution history with timestamps and run counts
  Command: PECmd.exe -d "C:\Windows\Prefetch" --csv output\

ShimCache (AppCompatCache):
  Tool: AppCompatCacheParser.exe
  Shows: Programs that existed on system (even if deleted)
  Command: AppCompatCacheParser.exe -f SYSTEM --csv output\

AmCache (C:\Windows\appcompat\Programs\Amcache.hve):
  Tool: AmcacheParser.exe
  Shows: Program execution with SHA1 hashes and install timestamps
  Command: AmcacheParser.exe -f Amcache.hve --csv output\

NTFS artifacts ($MFT, $UsnJrnl, $LogFile):
  Tool: MFTECmd.exe
  Shows: Complete file system timeline including deleted files
  Command: MFTECmd.exe -f "$MFT" --csv output\

Event Logs:
  Tool: EvtxECmd.exe
  Shows: Security, System, PowerShell, Sysmon events
  Command: EvtxECmd.exe -d "C:\Windows\System32\winevt\Logs" --csv output\

Registry Hives (SAM, SYSTEM, SOFTWARE, NTUSER.DAT):
  Tool: RECmd.exe with batch files
  Shows: User accounts, services, installed software, USB history
  Command: RECmd.exe -d "C:\Windows\System32\config" --bn BatchExamples\RECmd_Batch_MC.reb --csv output\

Step 5: Timeline Reconstruction

# Use KAPE for automated artifact collection
kape.exe --tsource C: --tdest C:\evidence\kape_output \
  --target KapeTriage --module !EZParser

# Create super timeline with plaso/log2timeline
log2timeline.py timeline.plaso disk_image.E01
psort.py -o l2tcsv timeline.plaso -w timeline.csv

# Filter timeline around incident timeframe
psort.py -o l2tcsv timeline.plaso "date > '2026-02-20' AND date < '2026-02-22'" -w filtered_timeline.csv

Step 6: Document Findings

Structure forensic report:

1. Executive Summary
2. Scope and Methodology
3. Evidence Inventory (with chain of custody)
4. Timeline of Events
5. Findings and Analysis
   - Initial access vector
   - Persistence mechanisms
   - Lateral movement
   - Data access/exfiltration
6. Indicators of Compromise (IOCs)
7. Recommendations
8. Appendices (tool output, hashes, raw evidence)

Key Concepts

TermDefinition
Order of VolatilityEvidence collection priority from most volatile (RAM) to least volatile (backups)
Chain of CustodyDocumented record of evidence handling from collection to presentation
Write BlockerHardware or software device that prevents modification of source evidence
Super TimelineConsolidated chronological view of all artifact timestamps for incident reconstruction
PrefetchWindows artifact recording program execution history
ShimCacheApplication compatibility artifact tracking program existence on endpoint

Tools & Systems

  • Volatility 3: Memory forensics framework for analyzing RAM dumps
  • KAPE (Kroll Artifact Parser and Extractor): Automated triage collection and parsing
  • Eric Zimmerman Tools: Suite of Windows artifact parsers (PECmd, MFTECmd, RECmd, etc.)
  • Autopsy/Sleuth Kit: Disk forensics platform for file system analysis
  • FTK Imager: Forensic imaging and memory acquisition tool
  • Plaso/log2timeline: Super timeline creation framework

Common Pitfalls

  • Modifying evidence on live system: Always image before analysis. Running tools on a live system alters timestamps and memory state.
  • Forgetting chain of custody: Evidence without documented chain of custody is inadmissible in legal proceedings.
  • Analyzing only disk, ignoring memory: In-memory-only malware (fileless attacks) leaves no disk artifacts. Always capture memory first.
  • Not hashing evidence: All evidence must be cryptographically hashed at collection time to prove integrity.
  • Tunnel vision: Focusing on one artifact when the timeline tells a broader story. Always build a comprehensive timeline.
how to use performing-endpoint-forensics-investigation

How to use performing-endpoint-forensics-investigation on Cursor

AI-first code editor with Composer

1

Prerequisites

Before installing skills in Cursor, ensure your development environment meets these requirements:

  • Cursor installed and configured on your development machine
  • Node.js version 16.0+ with npm package manager (verify with node --version)
  • Active project directory or workspace where you want to add performing-endpoint-forensics-investigation
2

Execute installation command

Execute the skills CLI command in your project's root directory to begin installation:

$npx skills install mukul975/Anthropic-Cybersecurity-Skills/performing-endpoint-forensics-investigation

The skills CLI fetches performing-endpoint-forensics-investigation from GitHub repository mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.

3

Select Cursor when prompted

The CLI will show a list of available agents. Use arrow keys to navigate and space to select Cursor:

◆ Which agents do you want to install to?
│ ── Universal (.agents/skills) ── always included ────
│ • Amp
│ • Antigravity
│ • Cline
│ • Codex
│ ●Cursor(selected)
│ • Cursor
│ • Windsurf
4

Verify installation

Confirm successful installation by checking the skill directory location:

.cursor/skills/performing-endpoint-forensics-investigation

Reload or restart Cursor to activate performing-endpoint-forensics-investigation. Access the skill through slash commands (e.g., /performing-endpoint-forensics-investigation) or your agent's skill management interface.

Security & Verification Notice

We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.

Skills execute code in your development environment. Always verify the publisher's identity, review recent commits, and test in isolated environments before production deployment.

Additional Resources

View source code on GitHubSkills CLI documentationLearn more about CursorWhat are agent skills?

List & Monetize Your Skill

Submit your Claude Code skill and start earning

GET_STARTED →

Use Cases

Task Automation & Efficiency

Automate repetitive workflows and reduce manual effort

Example

Generate reports, summarize documents, draft communications

Save 3-5 hours per week on routine tasks

Knowledge Enhancement

Learn new skills, understand complex topics, get expert guidance

Example

Explain concepts, provide examples, suggest learning resources

Accelerate learning and skill development by 2x

Quality Improvement

Enhance output quality through reviews, suggestions, and refinements

Example

Review drafts, suggest improvements, catch errors

Improve work quality by 30-40% with less effort

Implementation Guide

Prerequisites

  • Claude Desktop or compatible AI client with skill support
  • Clear understanding of task or problem to solve
  • Willingness to iterate and refine outputs

Time Estimate

15-45 minutes depending on use case complexity

Installation Steps

  1. 1.Install skill using provided installation command
  2. 2.Test with simple use case relevant to your work
  3. 3.Evaluate output quality and relevance
  4. 4.Iterate on prompts to improve results
  5. 5.Integrate into regular workflow if valuable

Common Pitfalls

  • Expecting perfect results without iteration
  • Not providing enough context in prompts
  • Using skill for tasks outside its intended scope
  • Accepting outputs without review and validation

Best Practices

✓ Do

  • +Start with clear, specific prompts
  • +Provide relevant context and constraints
  • +Review and refine all outputs before using
  • +Iterate to improve output quality
  • +Document successful prompt patterns

✗ Don't

  • Don't use without understanding skill limitations
  • Don't skip validation of outputs
  • Don't share sensitive information in prompts
  • Don't expect skill to replace human judgment

💡 Pro Tips

  • Be specific about desired format and style
  • Ask for multiple options to choose from
  • Request explanations to understand reasoning
  • Combine AI efficiency with human expertise

When to Use This

✓ Use When

Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.

✗ Avoid When

Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.

Learning Path

  1. 1Familiarize yourself with skill capabilities and limitations
  2. 2Start with low-risk, non-critical tasks
  3. 3Progress to more complex and valuable use cases
  4. 4Build expertise through regular use and experimentation

Discussion

Product Hunt–style comments (not star reviews)
  • No comments yet — start the thread.
general reviews

Ratings

4.638 reviews
  • Chaitanya Patil· Dec 24, 2024

    I recommend performing-endpoint-forensics-investigation for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.

  • Benjamin Taylor· Dec 20, 2024

    performing-endpoint-forensics-investigation is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.

  • Arjun Okafor· Dec 8, 2024

    Useful defaults in performing-endpoint-forensics-investigation — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.

  • Arjun Perez· Dec 8, 2024

    performing-endpoint-forensics-investigation reduced setup friction for our internal harness; good balance of opinion and flexibility.

  • Zara Rahman· Nov 27, 2024

    I recommend performing-endpoint-forensics-investigation for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.

  • Arjun Gill· Nov 27, 2024

    performing-endpoint-forensics-investigation has been reliable in day-to-day use. Documentation quality is above average for community skills.

  • Piyush G· Nov 15, 2024

    Useful defaults in performing-endpoint-forensics-investigation — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.

  • Zara Abbas· Nov 15, 2024

    Keeps context tight: performing-endpoint-forensics-investigation is the kind of skill you can hand to a new teammate without a long onboarding doc.

  • Layla Brown· Nov 11, 2024

    Solid pick for teams standardizing on skills: performing-endpoint-forensics-investigation is focused, and the summary matches what you get after install.

  • Diego Bhatia· Oct 18, 2024

    performing-endpoint-forensics-investigation reduced setup friction for our internal harness; good balance of opinion and flexibility.

showing 1-10 of 38

1 / 4