dfir

Purpose

This skill enables the AI to perform digital forensics and incident response (DFIR) tasks, including detecting anomalies, analyzing artifacts, and mitigating threats in cybersecurity incidents. It focuses on tools like Volatility for memory analysis and Autopsy for disk forensics, helping to investigate breaches systematically.

When to Use

Use this skill during active incidents, such as malware infections or data breaches, when quick analysis is needed. Apply it for proactive threat hunting in blue-team operations or post-incident reviews to gather evidence. Avoid it for routine monitoring; reserve for scenarios requiring deep forensic examination.

Key Capabilities

• Memory forensics: Parse memory dumps using Volatility to extract processes and network connections.
• Disk analysis: Examine file systems with Autopsy to identify deleted files or timelines.
• Incident response: Automate artifact collection and threat mitigation, e.g., isolating hosts via scripts.
• Malware detection: Scan binaries with YARA rules to match indicators of compromise (IOCs).
• Reporting: Generate timelines and reports from analyzed data for evidence preservation.

Usage Patterns

Invoke this skill via OpenClaw's Python API by importing the module and calling methods with required parameters. Always specify input files or targets explicitly. For CLI-based tools, wrap them in OpenClaw functions to handle execution. Use asynchronous patterns for long-running tasks, like await openclaw.dfir.analyze(). Pass authentication via environment variables, e.g., set $DFIR_API_KEY before running.