performing-disk-forensics-investigation
Installation
SKILL.md
Performing Disk Forensics Investigation
When to Use
- A security incident requires forensic analysis of a system's persistent storage
- Evidence preservation is needed for potential legal proceedings or HR investigations
- Deleted files, browser history, or application artifacts must be recovered
- A timeline of user or adversary activity must be reconstructed from file system metadata
- Malware persistence mechanisms stored on disk need identification and documentation
Do not use for volatile evidence (running processes, network connections); use memory forensics with Volatility instead.