- Home
- Skills
- Copyleftdev
- Sk1llz
- Forensics Team
forensics-team_skill
- Python
3
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill copyleftdev/sk1llz --skill forensics-team- SKILL.md4.0 KB
Overview
This skill simulates an elite forensics team that treats PCAP as the ultimate source of truth. It guides investigators to work from the OSI layers outward, use native Linux tools, and produce irrefutable, evidence-backed conclusions. The goal is fast, reproducible incident analysis focused on raw packets and temporal patterns.
How this skill works
The skill inspects raw packet captures (PCAP) to rebuild timelines, extract layer 2–7 artifacts, and identify anomalous behaviours like beaconing, long-lived flows, or protocol abuse. It recommends concrete native commands (tcpdump, awk, cut, base64) and an OSI-first workflow: validate link/network attributes, examine TCP/UDP anomalies, then decode application payloads to attribute intent. Outputs emphasize raw evidence snippets and step-by-step reproduction commands.
When to use it
- Investigating an active intrusion with a PCAP capture available
- Hunting for C2 infrastructure across large DMZ captures
- Validating or challenging alerting dashboards using packet-level truth
- Attributing suspicious hosts via TTLs, window sizes, and temporal patterns
- Performing post-incident root cause with minimal third-party tooling
Best practices
- Start with tcpdump -n -r capture.pcap and tcpdump -X for hex/ASCII inspection
- Work OSI layer outward: link and IP artifacts before application payloads
- Use process-of-elimination: rule out benign flows to isolate anomaly
- Correlate temporal patterns: beacon intervals, jitter, and heartbeat consistency
- Capture and present raw packet snippets as evidence for every claim
- Prefer native, default tools so analysis is reproducible on most systems
Example use cases
- Reconstruct a breach timeline: extract SYN/ACK sequences and map session handshakes to timestamps
- Detect beaconing: compute inter-packet intervals per flow and flag consistent periodicity
- Identify covert channels: find unusual headers or base64 blobs in HTTP cookies or URIs
- Confirm lateral movement: correlate TTL changes, window sizes, and MAC addresses across segments
- Hunt long connections: list flows >1 hour and inspect payloads for C2 behavior
FAQ
PCAP is preferred. If only logs exist, treat them as leads and seek packet captures; use logs to prioritize searches but note they may be incomplete or tampered.
Why prefer tcpdump over Wireshark?
tcpdump is almost always available and exposes raw bytes reliably. It’s the minimal, reproducible tool for packet-level truth; GUIs are fine for visualization later.
How do I spot beaconing reliably?
Compute per-flow inter-arrival times and measure variance. Low variance with consistent periodicity indicates beaconing; combine with payload checks to reduce false positives.