Claude-skill-registry forensics
Extracts hidden data from files and analyzes forensic artifacts. Use when working with images, memory dumps, disk images, steganography, file carving, or when searching for hidden flags in files.
install
source · Clone the upstream repo
git clone https://github.com/majiayu000/claude-skill-registry
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/data/forensics" ~/.claude/skills/majiayu000-claude-skill-registry-forensics && rm -rf "$T"
manifest:
skills/data/forensics/SKILL.mdsource content
Forensics Analysis Skill
Quick Workflow
Progress: - [ ] Identify file type (file, xxd) - [ ] Check metadata (exiftool) - [ ] Search strings for flag - [ ] Check for embedded data (binwalk) - [ ] Try steganography tools - [ ] Extract hidden content
Step 1: Quick Analysis
file suspicious_file exiftool suspicious_file strings suspicious_file | grep -iE "flag|ctf|secret|key" binwalk suspicious_file
Step 2: Identify Challenge Type
| File Type | Approach | Reference |
|---|---|---|
| Image (PNG/JPG) | Steganography | reference/steganography.md |
| Memory dump | Volatility | reference/memory.md |
| Unknown/corrupted | File analysis | reference/file-analysis.md |
| PCAP | Network skill | Use |
Image Stego - Quick Start
# Try AperiSolve first (online) # https://www.aperisolve.com/ # PNG zsteg image.png zsteg -a image.png # JPEG steghide extract -sf image.jpg stegseek image.jpg rockyou.txt # Brute force
Full techniques: reference/steganography.md
Memory Dump - Quick Start
# Volatility 3 vol -f memory.dmp windows.info vol -f memory.dmp windows.pslist vol -f memory.dmp windows.filescan | grep -i flag
Full techniques: reference/memory.md
File Carving - Quick Start
binwalk -e suspicious_file # Extract embedded files foremost -i file -o output/ # Carve files # Fix corrupted header xxd file | head -10 # Check magic bytes
Full techniques: reference/file-analysis.md
Online Tools
| Tool | URL | Purpose |
|---|---|---|
| AperiSolve | aperisolve.com | All-in-one stego |
| StegOnline | stegonline.georgeom.net | Image analysis |
| CyberChef | gchq.github.io/CyberChef | Data transform |
Reference Files
- Steganography: Image/audio stego, LSB, AperiSolve
- Memory: Volatility 2/3, process analysis
- File Analysis: Magic bytes, binwalk, password cracking