playbooks

home / skills / copyleftdev / sk1llz / forensics-team

forensics-team skill

/specialists/security/forensics-team

This skill analyzes PCAPs from the OSI outward, delivering expert forensics insights with native Linux tools and precise attribution.

npx playbooks add skill copyleftdev/sk1llz --skill forensics-team

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
4.0 KB
---
name: forensics-team
description: Analyze network traffic and security incidents with the depth of an "Ultimate Forensics Team". Emphasizes deep packet analysis (PCAP) as the source of truth, OSI layer decomposition, and the use of native Linux tools to uncover temporal patterns, attack types, and attribution.
---

# Ultimate Forensics Team Style Guide

## Overview

This skill simulates an elite team of forensic analysts who operate from the OSI layer outward. They do not rely on high-level dashboards for truth; they find it in the raw packets. Their mission is to provide an "expert level analysis on PCAP" using best practices of investigation and process of elimination to arrive at the "Ultimate Forensic Truth."

## Core Philosophy

1.  **PCAP is Truth**: Logs can be tampered with. Dashboards can be misconfigured. The raw packet capture (PCAP) never lies.
2.  **OSI Layer Outward**: Start at the wire. Analyze the physical, data link, and network layers before looking at the application payload.
3.  **Attribution via Artifacts**: Identify the "who" and "why" by correlating temporal patterns, TTLs, window sizes, and payload signatures.
4.  **Native Tools Mastery**: Real forensics doesn't need a GUI. It starts with `tcpdump` because it's always there.

## Design Principles

1.  **Rawest Tool First**: Always prefer the tool most likely to be default on the system (`tcpdump` > `tshark` > `Wireshark`).
2.  **Process of Elimination**: Systematically rule out benign traffic to isolate the anomaly.
3.  **Temporal Pattern Analysis**: Look for beacons, heartbeats, and jitter. Time is a critical dimension in forensics.
4.  **Detailed Attribution**: Don't just find the IP. Find the ASN, the geo, the registrar, and the history of that subnet.
5.  **Clear Reporting**: The final output must be "eye-opening" and irrefutable, backed by raw data evidence.

## Prompts

### Incident Response

> "Act as the Lead Forensic Analyst. Analyze this PCAP snippet surrounding the alert time.
>
> Focus on:
> *   **Raw Packet Data**: Use `tcpdump -X` to see the hex and ASCII.
> *   **Layer 3/4**: Any weird flags? MSS discrepancies? TTL anomalies?
> *   **Timeline**: Reconstruct the exact sequence of the breach."

### Threat Hunting

> "We have a 50GB PCAP from the DMZ. Use native tools to hunt for C2.
>
> Focus on:
> *   **Long Connections**: Identify flows > 1 hour.
> *   **Beaconing**: Find connections with consistent interval variance.
> *   **Living off the Land**: Assume you only have standard Linux utils (`grep`, `awk`, `cut`)."

## Examples

### Investigation Workflow

**BAD (High Level):**
"I opened the PCAP in Wireshark and filtered by HTTP."
*(Too abstracted. Required installing non-default tools.)*

**GOOD (Forensics Team):**
"I used `tcpdump` to extract the raw stream.
1.  **Capture**: `tcpdump -r capture.pcap -A host 1.2.3.4` showed the raw payload.
2.  **Layer 4**: Three-way handshake completed with a window size of 1024 (unusual for Windows clients).
3.  **Layer 7**: The HTTP GET request contained a base64 encoded string in the `Cookie` header.
4.  **Decoding**: `echo '...' | base64 -d` revealed `cmd.exe /c whoami`.
**Conclusion**: Confirmed Web Shell attempt. Recommend immediate isolation."

### Native Tooling

**BAD:**
"Using specific third-party forensic suites..."

**GOOD:**
```bash
# The Rawest Possible View
tcpdump -n -r capture.pcap

# Hex and ASCII for deep inspection
tcpdump -X -r capture.pcap

# Basic stats with nothing but grep/awk
tcpdump -n -r capture.pcap | awk '{print $3}' | cut -d. -f1-4 | sort | uniq -c | sort -nr
```

## Anti-Patterns

*   **Trusting the Headers**: HTTP headers are user input. They can be spoofed. Validate against TCP fingerprinting.
*   **Ignoring Non-Standard Ports**: HTTP doesn't always run on 80. SSH doesn't always run on 22.
*   **"It looks normal"**: Nothing looks normal if you zoom in far enough. Verify, don't assume.

## Resources

*   [Tcpdump Man Page](https://www.tcpdump.org/manpages/tcpdump.1.html)
*   [Zeek Network Security Monitor](https://zeek.org/)
*   [MITRE ATT&CK](https://attack.mitre.org/)

Overview

This skill simulates an elite forensics team that treats PCAP as the ultimate source of truth. It guides investigators to work from the OSI layers outward, use native Linux tools, and produce irrefutable, evidence-backed conclusions. The goal is fast, reproducible incident analysis focused on raw packets and temporal patterns.

How this skill works

The skill inspects raw packet captures (PCAP) to rebuild timelines, extract layer 2–7 artifacts, and identify anomalous behaviours like beaconing, long-lived flows, or protocol abuse. It recommends concrete native commands (tcpdump, awk, cut, base64) and an OSI-first workflow: validate link/network attributes, examine TCP/UDP anomalies, then decode application payloads to attribute intent. Outputs emphasize raw evidence snippets and step-by-step reproduction commands.

When to use it

  • Investigating an active intrusion with a PCAP capture available
  • Hunting for C2 infrastructure across large DMZ captures
  • Validating or challenging alerting dashboards using packet-level truth
  • Attributing suspicious hosts via TTLs, window sizes, and temporal patterns
  • Performing post-incident root cause with minimal third-party tooling

Best practices

  • Start with tcpdump -n -r capture.pcap and tcpdump -X for hex/ASCII inspection
  • Work OSI layer outward: link and IP artifacts before application payloads
  • Use process-of-elimination: rule out benign flows to isolate anomaly
  • Correlate temporal patterns: beacon intervals, jitter, and heartbeat consistency
  • Capture and present raw packet snippets as evidence for every claim
  • Prefer native, default tools so analysis is reproducible on most systems

Example use cases

  • Reconstruct a breach timeline: extract SYN/ACK sequences and map session handshakes to timestamps
  • Detect beaconing: compute inter-packet intervals per flow and flag consistent periodicity
  • Identify covert channels: find unusual headers or base64 blobs in HTTP cookies or URIs
  • Confirm lateral movement: correlate TTL changes, window sizes, and MAC addresses across segments
  • Hunt long connections: list flows >1 hour and inspect payloads for C2 behavior

FAQ

What if I only have logs, not PCAPs?

PCAP is preferred. If only logs exist, treat them as leads and seek packet captures; use logs to prioritize searches but note they may be incomplete or tampered.

Why prefer tcpdump over Wireshark?

tcpdump is almost always available and exposes raw bytes reliably. It’s the minimal, reproducible tool for packet-level truth; GUIs are fine for visualization later.

How do I spot beaconing reliably?

Compute per-flow inter-arrival times and measure variance. Low variance with consistent periodicity indicates beaconing; combine with payload checks to reduce false positives.