iblai-security-disk-forensics

Analyze disk images and file systems for digital evidence recovery in forensic investigations and CTF challenges. Use when the user mentions 'disk forensics,' 'forensic analysis,' 'disk image,' 'file carving,' 'deleted files,' 'evidence recovery,' 'autopsy,' 'sleuthkit,' or needs to examine a forensic image.

12 stars

Best use case

iblai-security-disk-forensics is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Analyze disk images and file systems for digital evidence recovery in forensic investigations and CTF challenges. Use when the user mentions 'disk forensics,' 'forensic analysis,' 'disk image,' 'file carving,' 'deleted files,' 'evidence recovery,' 'autopsy,' 'sleuthkit,' or needs to examine a forensic image.

Teams using iblai-security-disk-forensics should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/iblai-security-disk-forensics/SKILL.md --create-dirs "https://raw.githubusercontent.com/iblai/vibe/main/skills/iblai-security-disk-forensics/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/iblai-security-disk-forensics/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How iblai-security-disk-forensics Compares

Feature / Agentiblai-security-disk-forensicsStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Analyze disk images and file systems for digital evidence recovery in forensic investigations and CTF challenges. Use when the user mentions 'disk forensics,' 'forensic analysis,' 'disk image,' 'file carving,' 'deleted files,' 'evidence recovery,' 'autopsy,' 'sleuthkit,' or needs to examine a forensic image.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# /iblai-security-disk-forensics

Analyze disk images and file systems to recover evidence, reconstruct
timelines, and identify artifacts.

Do NOT touch the original. Mount everything read-only. Never modify
timestamps or content on source evidence.

## Evidence Handling

- Work on copies, never originals.
- Verify image integrity with hash comparison before analysis.
- Mount read-only — every time.
- Log every command and finding.
- Preserve timestamps.

## Step 1: Image Identification and Integrity

Identify the format and confirm integrity:

```bash
file <image>                    # Identify format (E01, dd/raw, VMDK, VHD)
sha256sum <image>               # Compare to provided hash
```

For E01 images, use `ewfinfo` to pull metadata.

## Step 2: Partition Layout

Inspect the partition structure:

```bash
fdisk -l <image>                # Partition table
mmls <image>                    # Sleuth Kit partition layout
```

Mount offsets: `sector_start × sector_size`.

## Step 3: Mount and Explore

Read-only mount, then survey:

```bash
mount -o ro,loop,offset=<bytes> <image> /mnt/evidence
ls -laR /mnt/evidence
```

For encrypted volumes, identify the encryption type and request the
key/passphrase from the user.

## Step 4: File System Analysis (Sleuth Kit)

```bash
fsstat -o <offset> <image>              # File system details
fls -r -o <offset> <image>             # Full file listing (deleted files marked with *)
icat -o <offset> <image> <inode>       # Extract specific file by inode
```

## Step 5: Artifact Recovery

**Deleted files:** `fls` to locate (marked with `*`), `icat` to extract
by inode.

**File carving:** `foremost` or `scalpel` on unallocated space to
recover files by header signatures.

**Hidden data:**

- NTFS alternate data streams
- HFS+ resource forks
- Steganography checks on images: `exiftool`, `binwalk`, `steghide`

**System artifacts:**

- Browser history: `~/.mozilla`, `~/Library/Safari`, `AppData\Local\Google`
- System logs: `/var/log/*`, Windows Event Logs
- Registry hives (Windows): SAM, SYSTEM, SOFTWARE, NTUSER.DAT
- Recently accessed files, USB device history, prefetch files

## Step 6: Metadata and Timestamps

```bash
exiftool <file>                 # EXIF, XMP, IPTC metadata
stat <file>                     # MAC times (Modified, Accessed, Changed)
```

NTFS: inspect `$MFT` timestamps and `$UsnJrnl` change-journal entries.

Use `mactime` (Sleuth Kit) to build a unified timeline from body
files.

## Step 7: Keyword Search

```bash
strings <image> | grep -i <keyword>    # Raw string search across image
```

Use `bulk_extractor` for automated extraction of emails, URLs, credit
card numbers, and other structured data.

## Step 8: Timeline Construction

Collect every timestamp into a single timeline. Cross-reference file
events with log entries. Flag anomalies:

- Timestamps before the OS install date
- Future-dated files
- Gaps in otherwise continuous log sequences
- Timestamps inconsistent with timezone settings

## Output Format

```markdown
# Forensic Analysis Report
## Case: [identifier]
## Image: [filename] — SHA256: [hash]
## Date of Analysis: [date]

### Image Integrity
- Hash verified: [yes/no]
- Algorithm: [SHA256]

### Partition Layout
| # | Type | Start | Size | File System |
|---|------|-------|------|-------------|

### Key Findings
#### Finding 1: [Title]
- **Evidence:** [file path or artifact]
- **Content:** [description]
- **Timestamp:** [UTC]
- **Significance:** [why this matters]

### Recovered Files
| File | Source | Recovery Method | SHA256 | Significance |
|------|--------|-----------------|--------|-------------|

### Timeline
| Timestamp (UTC) | Event | Source | Notes |
|-----------------|-------|--------|-------|

### Conclusions
[Summary of findings and their implications]
```

## Boundaries

- Work only on provided images and files.
- Read-only at all times.
- Document chain of custody for real investigations.
- For CTF challenges, focus on finding flags and solving the challenge.
- Never modify evidence or suggest evidence tampering.
- Refuse requests involving unauthorized device access.

## References

- NIST SP 800-86: Guide to Integrating Forensic Techniques
- The Sleuth Kit documentation
- SANS Digital Forensics cheat sheets

Related Skills

We are still matching the closest adjacent skills for this page. In the meantime, continue through the full directory.