npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
When to Use
- When you have a forensic disk image and need structured analysis of its contents
- During investigations requiring file recovery, keyword searching, and timeline analysis
- When non-technical stakeholders need visual reports from forensic evidence
- For examining file system metadata, deleted files, and embedded artifacts
- When building a comprehensive case from multiple disk images
Prerequisites
- Autopsy 4.x installed (Windows) or Autopsy 4.x with The Sleuth Kit (Linux)
- Forensic disk image in raw (dd), E01 (EnCase), or AFF format
- Minimum 8GB RAM (16GB recommended for large images)
- Java Runtime Environment (JRE) 8+ for Autopsy
- Sufficient disk space for the Autopsy case database (2-3x image size)
- Hash databases (NSRL, known-bad hashes) for file identification
Workflow
Step 1: Install Autopsy and Configure Environment
# On Linux, install Sleuth Kit and Autopsy
sudo apt-get install autopsy sleuthkit
# Download Autopsy 4.x (GUI version) from official source
wget https://github.com/sleuthkit/autopsy/releases/download/autopsy-4.21.0/autopsy-4.21.0.zip
unzip autopsy-4.21.0.zip -d /opt/autopsy
# On Windows, run the MSI installer from sleuthkit.org
# Launch Autopsy
/opt/autopsy/bin/autopsy --nosplash
# For Sleuth Kit command-line analysis alongside Autopsy
sudo apt-get install sleuthkitStep 2: Create a New Case and Add the Disk Image
1. Launch Autopsy > "New Case"
2. Enter Case Name: "CASE-2024-001-Workstation"
3. Set Base Directory: /cases/case-2024-001/autopsy/
4. Enter Case Number, Examiner Name
5. Click "Add Data Source"
6. Select "Disk Image or VM File"
7. Browse to: /cases/case-2024-001/images/evidence.dd
8. Select Time Zone of the original system
9. Configure Ingest Modules (see Step 3)# Alternatively, use Sleuth Kit CLI to verify the image first
img_stat /cases/case-2024-001/images/evidence.dd
# List partitions in the image
mmls /cases/case-2024-001/images/evidence.dd
# Output example:
# DOS Partition Table
# Offset Sector: 0
# Units are in 512-byte sectors
# Slot Start End Length Description
# 00: ----- 0000000000 0000002047 0000002048 Primary Table (#0)
# 01: 00:00 0000002048 0001026047 0001024000 NTFS (0x07)
# 02: 00:01 0001026048 0976771071 0975745024 NTFS (0x07)
# List files in a partition (offset 2048 sectors)
fls -o 2048 /cases/case-2024-001/images/evidence.ddStep 3: Configure and Run Ingest Modules
Enable the following Autopsy Ingest Modules:
- Recent Activity: Extracts browser history, downloads, cookies, bookmarks
- Hash Lookup: Compares files against NSRL and known-bad hash sets
- File Type Identification: Identifies files by signature, not extension
- Keyword Search: Indexes content for full-text searching
- Email Parser: Extracts emails from PST, MBOX, EML files
- Extension Mismatch Detector: Finds files with wrong extensions
- Exif Parser: Extracts metadata from images (GPS, camera, timestamps)
- Encryption Detection: Identifies encrypted files and containers
- Interesting Files Identifier: Flags files matching custom rule sets
- Embedded File Extractor: Extracts files from ZIP, Office docs, PDFs
- Picture Analyzer: Categorizes images using PhotoDNA or hash matching
- Data Source Integrity: Verifies image hash during ingest# Configure NSRL hash set for known-good filtering
# Download NSRL from https://www.nist.gov/itl/ssd/software-quality-group/national-software-reference-library-nsrl
wget https://s3.amazonaws.com/rds.nsrl.nist.gov/RDS/current/rds_modernm.zip
unzip rds_modernm.zip -d /opt/autopsy/hashsets/
# Import into Autopsy:
# Tools > Options > Hash Sets > Import > Select NSRLFile.txt
# Mark as "Known" (to filter out known-good files)Step 4: Analyze File System and Recover Deleted Files
# In Autopsy GUI: Navigate tree structure
# - Data Sources > evidence.dd > vol2 (NTFS)
# - Examine directory tree, note deleted files (marked with X)
# Using Sleuth Kit CLI for targeted recovery
# List deleted files
fls -rd -o 2048 /cases/case-2024-001/images/evidence.dd
# Recover a specific deleted file by inode
icat -o 2048 /cases/case-2024-001/images/evidence.dd 14523 > /cases/case-2024-001/recovered/deleted_document.docx
# Extract all files from a directory
tsk_recover -o 2048 -d /Users/suspect/Documents \
/cases/case-2024-001/images/evidence.dd \
/cases/case-2024-001/recovered/documents/
# Get detailed file metadata
istat -o 2048 /cases/case-2024-001/images/evidence.dd 14523
# Shows: creation, modification, access, MFT change timestamps, size, data runsStep 5: Perform Keyword Searches and Tag Evidence
In Autopsy:
1. Keyword Search panel > "Ad Hoc Keyword Search"
2. Search terms: credit card patterns, SSN regex, email addresses
3. Example regex for credit cards: \b(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14})\b
4. Example regex for SSN: \b\d{3}-\d{2}-\d{4}\b
5. Review results > Right-click items > "Add Tag"
6. Create tags: "Evidence-Critical", "Evidence-Supporting", "Requires-Review"
7. Add comments to tagged items documenting relevance# Using Sleuth Kit for CLI keyword search
srch_strings -a -o 2048 /cases/case-2024-001/images/evidence.dd | \
grep -iE '(password|secret|confidential)' > /cases/case-2024-001/keyword_hits.txt
# Search for specific file signatures
sigfind -o 2048 /cases/case-2024-001/images/evidence.dd 25504446
# 25504446 = %PDF header signatureStep 6: Build Timeline and Generate Reports
In Autopsy:
1. Timeline viewer: Tools > Timeline
2. Select date range of interest (incident window)
3. Filter by event type: File Created, Modified, Accessed, Web Activity
4. Zoom into suspicious time periods
5. Export timeline events as CSV for external analysis
Generate Report:
1. Generate Report > HTML Report
2. Select tagged items and data sources to include
3. Configure report sections: file listings, keyword hits, timeline
4. Export to /cases/case-2024-001/reports/# Using Sleuth Kit mactime for CLI timeline
fls -r -m "/" -o 2048 /cases/case-2024-001/images/evidence.dd > /cases/case-2024-001/bodyfile.txt
# Generate timeline from bodyfile
mactime -b /cases/case-2024-001/bodyfile.txt -d > /cases/case-2024-001/timeline.csv
# Filter timeline to specific date range
mactime -b /cases/case-2024-001/bodyfile.txt \
-d 2024-01-15..2024-01-20 > /cases/case-2024-001/incident_timeline.csvKey Concepts
| Concept | Description |
|---|---|
| Ingest Modules | Automated analysis plugins that process data sources upon import |
| MFT (Master File Table) | NTFS metadata structure recording all file entries and attributes |
| File carving | Recovering files from unallocated space using file signatures |
| Hash filtering | Using NSRL or custom hash sets to exclude known-good or flag known-bad files |
| Timeline analysis | Chronological reconstruction of file system and user activity events |
| Deleted file recovery | Restoring files whose directory entries are removed but data remains |
| Keyword indexing | Full-text search index built from all file content including slack space |
| Artifact extraction | Automated parsing of browser, email, registry, and OS-specific artifacts |
Tools & Systems
| Tool | Purpose |
|---|---|
| Autopsy | Open-source GUI forensic platform for disk image analysis |
| The Sleuth Kit (TSK) | Command-line forensic toolkit underlying Autopsy |
| fls | List files and directories in a disk image including deleted entries |
| icat | Extract file content by inode number from a disk image |
| mactime | Generate timeline from TSK bodyfile format |
| mmls | Display partition layout of a disk image |
| NSRL | NIST hash database for identifying known software files |
| sigfind | Search for file signatures at the sector level |
Common Scenarios
Scenario 1: Employee Data Theft Investigation Import the employee workstation image, run all ingest modules, search for company-confidential file names and keywords, examine USB connection artifacts in Recent Activity, check for cloud storage client artifacts, review deleted files for evidence of data staging, generate HTML report for legal team.
Scenario 2: Malware Infection Forensics Add the compromised system image, enable Extension Mismatch and Encryption Detection modules, examine the prefetch directory for execution evidence, search for known malware hashes, build timeline around the infection window, extract suspicious executables for further analysis in a sandbox.
Scenario 3: Child Exploitation Material (CSAM) Investigation Import image with PhotoDNA and Project VIC hash sets enabled, run Picture Analyzer module, hash all image files against known-bad databases, tag and categorize matches by severity, generate law enforcement report with chain of custody documentation.
Scenario 4: Intellectual Property Dispute Import multiple employee disk images as separate data sources in one case, perform keyword searches for proprietary terms and project names, compare file hashes between sources, build timeline showing file access and transfer patterns, export evidence for legal review.
Output Format
Autopsy Case Analysis Summary:
Case: CASE-2024-001-Workstation
Image: evidence.dd (500GB NTFS)
Partitions: 2 (System Reserved + Primary)
Total Files: 245,832
Deleted Files: 12,456 (recoverable: 8,234)
Ingest Results:
Hash Matches (Known Bad): 3 files
Extension Mismatches: 17 files
Keyword Hits: 234 across 45 files
Encrypted Files: 5 containers detected
EXIF Data Extracted: 1,245 images with metadata
Tagged Evidence:
Critical: 12 items
Supporting: 34 items
Review: 67 items
Timeline Events: 1,234,567 entries (filtered to incident window: 892)
Report: /cases/case-2024-001/reports/autopsy_report.htmlReferences and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 1
api-reference.md2.8 KB
API Reference: Autopsy and The Sleuth Kit (TSK)
mmls - Partition Layout
Syntax
mmls <image_file>
mmls -t dos <image_file> # Force DOS partition table
mmls -t gpt <image_file> # Force GPT partition tableOutput Format
DOS Partition Table
Offset Sector: 0
Slot Start End Length Description
00: 00:00 0000002048 0001026047 0001024000 NTFS (0x07)fls - File Listing
Syntax
fls -o <offset> <image> # List root directory
fls -r -o <offset> <image> # Recursive listing
fls -rd -o <offset> <image> # Deleted files only, recursive
fls -m "/" -r -o <offset> <image> # Bodyfile format for mactimeFlags
| Flag | Description |
|---|---|
-r |
Recursive listing |
-d |
Deleted entries only |
-D |
Directories only |
-m "/" |
Output in bodyfile format with mount point |
-o |
Partition sector offset |
icat - File Extraction by Inode
Syntax
icat -o <offset> <image> <inode> > recovered_file
icat -r -o <offset> <image> <inode> > file # Recover slack spaceistat - File Metadata
Syntax
istat -o <offset> <image> <inode>Output Includes
- MFT entry number and sequence
- File creation, modification, access, MFT change timestamps
- File size and data run locations
- Attribute list (NTFS: $STANDARD_INFORMATION, $FILE_NAME, $DATA)
mactime - Timeline Generation
Syntax
mactime -b <bodyfile> -d > timeline.csv
mactime -b <bodyfile> -d 2024-01-15..2024-01-20 > filtered.csv
mactime -b <bodyfile> -z UTC -d > timeline_utc.csvOutput Columns
Date,Size,Type,Mode,UID,GID,Meta,File Nameimg_stat - Image Information
Syntax
img_stat <image_file>sigfind - File Signature Search
Syntax
sigfind -o <offset> <image> <hex_signature>
sigfind -o 2048 evidence.dd 25504446 # Find %PDF headers
sigfind -o 2048 evidence.dd 504B0304 # Find ZIP/DOCX headersCommon Signatures
| Hex | File Type |
|---|---|
FFD8FF |
JPEG |
89504E47 |
PNG |
25504446 |
|
504B0304 |
ZIP/DOCX/XLSX |
D0CF11E0 |
OLE (DOC/XLS) |
srch_strings - Keyword Search
Syntax
srch_strings -a -o <offset> <image> | grep -i "keyword"
srch_strings -t d <image> # Print offset in decimalAutopsy GUI Ingest Modules
| Module | Function |
|---|---|
| Recent Activity | Browser history, downloads, cookies |
| Hash Lookup | NSRL and known-bad hash matching |
| File Type Identification | Signature-based file type detection |
| Keyword Search | Full-text content indexing |
| Email Parser | PST/MBOX/EML extraction |
| Extension Mismatch | Wrong file extension detection |
| Embedded File Extractor | ZIP, Office, PDF extraction |
| Encryption Detection | Encrypted container identification |
Scripts 1
agent.py7.5 KB
#!/usr/bin/env python3
"""Forensic disk image analysis agent using The Sleuth Kit (TSK) command-line tools."""
import shlex
import subprocess
import os
import sys
import json
import csv
import datetime
def run_cmd(cmd):
"""Execute a command and return output."""
if isinstance(cmd, str):
cmd = shlex.split(cmd)
result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
return result.stdout.strip(), result.stderr.strip(), result.returncode
def get_image_info(image_path):
"""Retrieve disk image metadata using img_stat."""
stdout, _, rc = run_cmd(f"img_stat {image_path}")
if rc == 0:
info = {}
for line in stdout.splitlines():
if ":" in line:
key, _, val = line.partition(":")
info[key.strip()] = val.strip()
return info
return None
def list_partitions(image_path):
"""List partition layout using mmls."""
stdout, _, rc = run_cmd(f"mmls {image_path}")
partitions = []
if rc == 0:
for line in stdout.splitlines():
parts = line.split()
if len(parts) >= 6 and parts[2].isdigit():
partitions.append({
"slot": parts[0].rstrip(":"),
"start": int(parts[2]),
"end": int(parts[3]),
"length": int(parts[4]),
"description": " ".join(parts[5:]),
})
return partitions
def list_files(image_path, offset, path="/", recursive=False):
"""List files in a partition using fls."""
flags = "-r" if recursive else ""
cmd = f"fls {flags} -o {offset} {image_path}"
if path != "/":
cmd += f" -D {path}"
stdout, _, rc = run_cmd(cmd)
files = []
if rc == 0:
for line in stdout.splitlines():
line = line.strip()
if not line:
continue
parts = line.split("\t", 1)
if len(parts) == 2:
meta = parts[0].strip()
name = parts[1].strip()
deleted = meta.startswith("*")
file_type = "d" if "d/" in meta else "r"
inode = ""
for token in meta.split():
if "-" in token and token.replace("-", "").isdigit():
inode = token
break
files.append({
"name": name,
"inode": inode,
"type": "directory" if file_type == "d" else "file",
"deleted": deleted,
})
return files
def list_deleted_files(image_path, offset):
"""List only deleted files using fls -rd."""
stdout, _, rc = run_cmd(f"fls -rd -o {offset} {image_path}")
deleted = []
if rc == 0:
for line in stdout.splitlines():
line = line.strip()
if line:
deleted.append(line)
return deleted
def recover_file(image_path, offset, inode, output_path):
"""Recover a file by inode using icat."""
result = subprocess.run(
["icat", "-o", str(offset), image_path, str(inode)],
capture_output=True,
timeout=120,
)
if result.returncode == 0:
with open(output_path, "wb") as f:
f.write(result.stdout)
return result.returncode == 0
def get_file_metadata(image_path, offset, inode):
"""Get detailed file metadata using istat."""
stdout, _, rc = run_cmd(f"istat -o {offset} {image_path} {inode}")
return stdout if rc == 0 else None
def create_bodyfile(image_path, offset, output_path):
"""Generate a TSK bodyfile for timeline creation."""
result = subprocess.run(
["fls", "-r", "-m", "/", "-o", str(offset), image_path],
capture_output=True, text=True,
timeout=120,
)
if result.returncode == 0:
with open(output_path, "w") as f:
f.write(result.stdout)
return result.returncode == 0
def generate_timeline(bodyfile_path, output_csv, start_date=None, end_date=None):
"""Generate a timeline from a bodyfile using mactime."""
cmd = ["mactime", "-b", bodyfile_path, "-d"]
if start_date and end_date:
cmd.append(f"{start_date}..{end_date}")
result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
if result.returncode == 0:
with open(output_csv, "w") as f:
f.write(result.stdout)
return result.returncode == 0
def search_keywords(image_path, offset, keyword):
"""Search for keyword strings in the disk image."""
result = subprocess.run(
["srch_strings", "-a", "-o", str(offset), image_path],
capture_output=True, text=True,
timeout=120,
)
if result.returncode != 0 or not result.stdout:
return []
keyword_lower = keyword.lower()
return [line for line in result.stdout.splitlines() if keyword_lower in line.lower()]
def find_file_signature(image_path, offset, hex_signature):
"""Find file signatures at the sector level using sigfind."""
stdout, _, rc = run_cmd(f"sigfind -o {offset} {image_path} {hex_signature}")
return stdout if rc == 0 else None
def analyze_image(image_path, case_dir):
"""Run a full automated analysis workflow on a disk image."""
os.makedirs(case_dir, exist_ok=True)
results = {"image": image_path, "timestamp": datetime.datetime.utcnow().isoformat()}
print(f"[*] Image info...")
results["image_info"] = get_image_info(image_path)
print(f"[*] Partition layout...")
partitions = list_partitions(image_path)
results["partitions"] = partitions
for part in partitions:
if "NTFS" in part.get("description", "") or "Linux" in part.get("description", ""):
offset = part["start"]
print(f"[*] Listing files at offset {offset} ({part['description']})...")
files = list_files(image_path, offset, recursive=True)
results[f"files_offset_{offset}"] = {
"total": len(files),
"deleted": sum(1 for f in files if f["deleted"]),
}
print(f" Total: {len(files)}, Deleted: {results[f'files_offset_{offset}']['deleted']}")
print(f"[*] Creating bodyfile for timeline...")
bf_path = os.path.join(case_dir, f"bodyfile_{offset}.txt")
create_bodyfile(image_path, offset, bf_path)
tl_path = os.path.join(case_dir, f"timeline_{offset}.csv")
generate_timeline(bf_path, tl_path)
report_path = os.path.join(case_dir, "analysis_summary.json")
with open(report_path, "w") as f:
json.dump(results, f, indent=2, default=str)
print(f"[*] Summary saved to {report_path}")
return results
if __name__ == "__main__":
print("=" * 60)
print("Disk Image Forensic Analysis Agent")
print("Tools: The Sleuth Kit (fls, icat, mmls, mactime)")
print("=" * 60)
if len(sys.argv) > 1:
image = sys.argv[1]
import tempfile
case = sys.argv[2] if len(sys.argv) > 2 else os.environ.get("AUTOPSY_CASE_DIR", os.path.join(tempfile.gettempdir(), "autopsy_case"))
if os.path.exists(image):
analyze_image(image, case)
else:
print(f"[ERROR] Image not found: {image}")
else:
print("\n[DEMO] Usage: python agent.py <disk_image.dd> [case_directory]")
print("[*] Supported operations:")
print(" - Partition enumeration (mmls)")
print(" - File listing with deleted file recovery (fls, icat)")
print(" - Timeline generation (mactime)")
print(" - Keyword searching (srch_strings)")
print(" - File signature detection (sigfind)")