Ctf Forensics

Name: Ctf Forensics
Author: ljagiello

ljagiello/ctf-skills·MIT

Work through CTF forensics challenges with one-liner techniques and install lists for disk, memory, PCAP, stego, blockchain, and Windows artifacts.

Overview

ctf-forensics is an agent skill for the Ship phase that provides digital forensics and signal-analysis techniques for CTF challenges across disk, memory, network, crypto, and steganography artifacts.

Install

npx skills add https://github.com/ljagiello/ctf-skills --skill ctf-forensics

What is this skill?

Covers disk images, memory dumps, PCAP, registry, PDF, stego, crypto txs, Docker images, coredumps, and side-channel tra
Prerequisite install blocks for Linux apt, macOS Homebrew, pip (volatility3, Pillow, numpy), and Ruby zsteg
One-liner quick reference per technique with deeper detail in linked supporting markdown files
Includes specialized topics: 3D printing G-code forensics, DTMF spectrograms, packet timing, CD disc images
user-invocable false—loaded when agent matches forensics CTF context
Prerequisite pip packages include volatility3, Pillow, numpy, and matplotlib
Supporting deep-dive files include windows.md and 3d-printing.md

Compatible agents: Claude Code, Cursor, any compatible agent

Adoption & trust: 4.4k installs on skills.sh; 2.3k GitHub stars; 1/3 security scanners passed (skills.sh audits).

What problem does it solve?

You are stuck on a forensics CTF with a memory dump, PCAP, or stego file and need a ordered toolkit and commands instead of random googling.

Who is it for?

Solo builders and security hobbyists solving forensics CTFs who want install prerequisites and technique index in one skill-loaded reference.

Skip if: Production incident response teams needing enterprise SIEM playbooks, or non-technical founders who are not analyzing challenge images or captures.

When should I use this skill?

Analyzing disk images, memory dumps, event logs, network captures, cryptocurrency transactions, steganography, PDFs, Windows registry, Volatility, PCAP, Docker images, coredumps, side-channel traces, DTMF audio, packet t

What do I get? / Deliverables

Your agent applies documented one-liners and supporting-file deep dives to extract flags, recover deleted files, or decode hidden channels from challenge artifacts.

Extracted flags or credentials from challenge artifacts
Documented analysis steps following skill one-liners and reference files

Recommended Skills

Azure Compliancemicrosoft/azure-skills

Azure Compliance is a Microsoft agent skill for solo builders and small teams who need structured security and complianc…373k installs·1.2k stars

Openclaw Secure Linux Cloudxixu-me/skills

OpenClaw Secure Linux Cloud guides a hardened VPS deployment—rootless Podman, loopback-only gateway, SSH-tunneled Contro…201k installs·61 stars

Entra Agent Idmicrosoft/azure-skills

entra-agent-id is a Microsoft-authored agent skill for provisioning and operating OAuth-capable identities tailored to A…99.1k installs·1.2k stars

Firebase Security Rules Auditorfirebase/agent-skills

Firebase Security Rules Auditor turns your agent into a senior penetration-style reviewer for Firestore rulesets. Solo b…40.3k installs·345 stars

Firestore Security Rules Auditorfirebase/agent-skills

Firestore-security-rules-auditor is a checker skill for solo builders and small teams shipping Firebase-backed apps who …20.3k installs·345 stars

Skill Vetteruseai-pro/openclaw-skills-security

Skill Vetter is a security-first OpenClaw agent skill that makes your coding agent behave like a pre-install auditor for…19.2k installs·62 stars

Journey fit

Primary fit

Forensics CTF work maps to the Ship security shelf because it trains incident-style artifact analysis and credential recovery—the same muscle you use before or after shipping sensitive systems. Security subphase is the canonical home for forensic methodologies, Volatility, PCAP, and steganography playbooks rather than product feature build.

Also useful

BuildAgent skills & templates

How it compares

Use as a CTF technique cookbook loaded into the agent, not as a automated malware sandbox or commercial DFIR platform.

Common Questions / FAQ

Who is ctf-forensics for?

Agent users tackling forensics CTF categories—disk, memory, logs, PCAP, blockchain, and stego—who want bash-friendly install steps and quick technique routing.

When should I use ctf-forensics?

Use it during Ship security practice when analyzing disk images, memory dumps, event logs, network captures, cryptocurrency transactions, or steganography in a CTF or lab setting.

Is ctf-forensics safe to install?

The skill instructs installing security and analysis tools via package managers; review the Security Audits panel on this page and only run untrusted challenge files in isolated environments.

SKILL.md

READMESKILL.md - Ctf Forensics

# CTF Forensics & Blockchain

Quick reference for forensics CTF challenges. Each technique has a one-liner here; see supporting files for full details.

## Prerequisites

**Python packages (all platforms):**
```bash
pip install volatility3 Pillow numpy matplotlib
```

**Linux (apt):**
```bash
apt install binwalk foremost libimage-exiftool-perl tshark sleuthkit \
  ffmpeg steghide testdisk john pcapfix
```

**macOS (Homebrew):**
```bash
brew install binwalk exiftool wireshark sleuthkit ffmpeg \
  testdisk john-jumbo
```

**Ruby gems (all platforms):**
```bash
gem install zsteg
```

## Additional Resources

- [3d-printing.md](3d-printing.md) - 3D printing forensics (PrusaSlicer binary G-code, QOIF, heatshrink)
- [windows.md](windows.md) - Windows forensics (registry, SAM, event logs, recycle bin, NTFS alternate data streams, USN journal, PowerShell history, Defender MPLog, WMI persistence, Amcache)
- [network.md](network.md) - Network forensics basics (tcpdump, TLS/SSL keylog decryption, TLS master key extraction from coredump, Wireshark, PCAP, port scanning, SMB3 decryption, 5G/NR protocols, WordPress recon, credentials, USB HID steno, BCD encoding, HTTP file upload exfiltration, split archive reassembly via timestamp ordering)
- [network-advanced.md](network-advanced.md) - Advanced network forensics (packet interval timing encoding, NTLMv2 hash cracking, TCP flag covert channel, DNS last-byte steganography, DNS trailing byte binary encoding, multi-layer PCAP with XOR + ZIP and mDNS key, Brotli decompression bomb seam analysis, SMB RID recycling via LSARPC, Timeroasting MS-SNTP hash extraction, dnscat2 reassembly, RADIUS shared secret cracking, RC4 stream identification, ICMP payload byte rotation, ICMP ping time-delay covert channel)
- [peripheral-capture.md](peripheral-capture.md) - USB/HID/Bluetooth peripheral traffic reconstruction (USB HID mouse/pen drawing recovery, USB HID keyboard capture decoding, USB keyboard LED Morse code exfiltration, USB HID keyboard arrow key navigation tracking, Bluetooth RFCOMM packet reassembly)
- [disk-and-memory.md](disk-and-memory.md) - Core disk/memory forensics (Volatility, disk mounting/carving, VM/OVA/VMDK, VMware snapshots, GIMP raw memory dump visual inspection, coredumps, Windows KAPE triage, PowerShell ransomware, Android forensics, Docker container forensics, cloud storage forensics, BSON reconstruction, TrueCrypt/VeraCrypt mounting)
- [disk-advanced.md](disk-advanced.md) - Advanced disk and memory techniques (deleted partitions, ZFS forensics, GPT GUID encoding, VMDK sparse parsing, memory dump string carving, ransomware key recovery, WordPerfect macro XOR, minidump ISO 9660 recovery, APFS snapshot recovery, RAID 5 XOR recovery, HFS+ resource fork recovery, Kyoto Cabinet hash DB forensics, SQLite edit history reconstruction)
- [disk-recovery.md](disk-recovery.md) - Disk recovery and extraction patterns (LUKS master key recovery, PRNG timestamp seed brute-force, VBA macro binary recovery, FemtoZip decompression, XFS filesystem reconstruction, tar duplicate entry extraction, nested matryoshka filesystem extraction, anti-carving via null byte interleaving, BTRFS subvolume/snapshot recovery, FAT16 free space data recovery, FAT16 deleted file recovery via Sleuth Kit fls/icat, ext2 orph

What is this skill?

Covers disk images, memory dumps, PCAP, registry, PDF, stego, crypto txs, Docker images, coredumps, and side-channel tra

Prerequisite install blocks for Linux apt, macOS Homebrew, pip (volatility3, Pillow, numpy), and Ruby zsteg

One-liner quick reference per technique with deeper detail in linked supporting markdown files

Includes specialized topics: 3D printing G-code forensics, DTMF spectrograms, packet timing, CD disc images

user-invocable false—loaded when agent matches forensics CTF context

Prerequisite pip packages include volatility3, Pillow, numpy, and matplotlib

Supporting deep-dive files include windows.md and 3d-printing.md

Compatible agents: Claude Code, Cursor, any compatible agent

Adoption & trust: 4.4k installs on skills.sh; 2.3k GitHub stars; 1/3 security scanners passed (skills.sh audits).

Journey fit

Primary fit

Also useful

BuildAgent skills & templates

SKILL.md

READMESKILL.md - Ctf Forensics

# CTF Forensics & Blockchain

Quick reference for forensics CTF challenges. Each technique has a one-liner here; see supporting files for full details.

## Prerequisites

**Python packages (all platforms):**
```bash
pip install volatility3 Pillow numpy matplotlib
```

**Linux (apt):**
```bash
apt install binwalk foremost libimage-exiftool-perl tshark sleuthkit \
  ffmpeg steghide testdisk john pcapfix
```

**macOS (Homebrew):**
```bash
brew install binwalk exiftool wireshark sleuthkit ffmpeg \
  testdisk john-jumbo
```

**Ruby gems (all platforms):**
```bash
gem install zsteg
```

## Additional Resources

- [3d-printing.md](3d-printing.md) - 3D printing forensics (PrusaSlicer binary G-code, QOIF, heatshrink)
- [windows.md](windows.md) - Windows forensics (registry, SAM, event logs, recycle bin, NTFS alternate data streams, USN journal, PowerShell history, Defender MPLog, WMI persistence, Amcache)
- [network.md](network.md) - Network forensics basics (tcpdump, TLS/SSL keylog decryption, TLS master key extraction from coredump, Wireshark, PCAP, port scanning, SMB3 decryption, 5G/NR protocols, WordPress recon, credentials, USB HID steno, BCD encoding, HTTP file upload exfiltration, split archive reassembly via timestamp ordering)
- [network-advanced.md](network-advanced.md) - Advanced network forensics (packet interval timing encoding, NTLMv2 hash cracking, TCP flag covert channel, DNS last-byte steganography, DNS trailing byte binary encoding, multi-layer PCAP with XOR + ZIP and mDNS key, Brotli decompression bomb seam analysis, SMB RID recycling via LSARPC, Timeroasting MS-SNTP hash extraction, dnscat2 reassembly, RADIUS shared secret cracking, RC4 stream identification, ICMP payload byte rotation, ICMP ping time-delay covert channel)
- [peripheral-capture.md](peripheral-capture.md) - USB/HID/Bluetooth peripheral traffic reconstruction (USB HID mouse/pen drawing recovery, USB HID keyboard capture decoding, USB keyboard LED Morse code exfiltration, USB HID keyboard arrow key navigation tracking, Bluetooth RFCOMM packet reassembly)
- [disk-and-memory.md](disk-and-memory.md) - Core disk/memory forensics (Volatility, disk mounting/carving, VM/OVA/VMDK, VMware snapshots, GIMP raw memory dump visual inspection, coredumps, Windows KAPE triage, PowerShell ransomware, Android forensics, Docker container forensics, cloud storage forensics, BSON reconstruction, TrueCrypt/VeraCrypt mounting)
- [disk-advanced.md](disk-advanced.md) - Advanced disk and memory techniques (deleted partitions, ZFS forensics, GPT GUID encoding, VMDK sparse parsing, memory dump string carving, ransomware key recovery, WordPerfect macro XOR, minidump ISO 9660 recovery, APFS snapshot recovery, RAID 5 XOR recovery, HFS+ resource fork recovery, Kyoto Cabinet hash DB forensics, SQLite edit history reconstruction)
- [disk-recovery.md](disk-recovery.md) - Disk recovery and extraction patterns (LUKS master key recovery, PRNG timestamp seed brute-force, VBA macro binary recovery, FemtoZip decompression, XFS filesystem reconstruction, tar duplicate entry extraction, nested matryoshka filesystem extraction, anti-carving via null byte interleaving, BTRFS subvolume/snapshot recovery, FAT16 free space data recovery, FAT16 deleted file recovery via Sleuth Kit fls/icat, ext2 orph

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is ctf-forensics for?

When should I use ctf-forensics?

Is ctf-forensics safe to install?

SKILL.md

This week for builders

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is ctf-forensics for?

When should I use ctf-forensics?

Is ctf-forensics safe to install?

SKILL.md