dfir
CommunityAutomate DFIR investigations and IR workflows.
AuthorYukiIto1999
Version1.0.0
Installs0
System Documentation
What problem does it solve?
Digital forensics and incident response often involve collecting and analyzing scattered data sources (Windows Event Logs, PCAPs, and filesystem artifacts) to detect intrusions and reconstruct attacks. This Skill provides a cohesive framework to parse, correlate, and interpret evidence across sources for faster and more reliable investigations.
Core Features & Use Cases
- Windows EVTX parsing and event-id correlation for authentication and privilege escalation.
- PCAP-based network forensics including NTLM/NTLMv2 patterns, LLMNR/NTLM relay detection, and timeline reconstruction.
- Filesystem artifact analysis (MFT, NTFS, VSS) and AD attack detection for threat hunting and incident response.
Quick Start
Load a Windows evidence bundle and run the DFIR workflow to automatically parse EVTX, PCAPs, and MFT data.
Dependency Matrix
Required Modules
None requiredComponents
Standard package💻 Claude Code Installation
Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.
Please help me install this Skill: Name: dfir Download link: https://github.com/YukiIto1999/ctf-sleuth/archive/main.zip#dfir Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
Agent Skills Search Helper
Install a tiny helper to your Agent, search and equip skill from 471,000+ vetted skills library on demand.