Does this skill require administrative privileges?

Yes, administrative rights are required to access low-level system files like the $MFT, registry hives, and event logs on a live Windows system.

How does this skill help detect timestomping?

It provides specific instructions for comparing $STANDARD_INFORMATION ($SI) and $FILE_NAME ($FN) timestamps within MFT records to identify chronological anomalies.

What are Eric Zimmerman Tools (EZ Tools)?

EZ Tools are a collection of open-source forensic utilities used by DFIR professionals to parse Windows artifacts such as the Master File Table, Registry hives, and Prefetch files.

Can this skill help with live system triage?

Yes, it includes workflows for KAPE (Kroll Artifact Parser and Extractor) to perform live triage collection and automated processing on active Windows workstations or servers.

Windows Forensics with Eric Zimmerman Tools

Name: Windows Forensics with Eric Zimmerman Tools
Author: mukul975

bymukul975

•

4,121

•

Seguridad y Pruebas

Performs comprehensive Windows digital forensics by parsing registry hives, event logs, and file system metadata using the Eric Zimmerman EZ Tools suite.

This skill enables Claude to guide and execute deep forensic analysis of Windows artifacts using the industry-standard EZ Tools suite. It covers the full investigation lifecycle from artifact collection with KAPE to detailed parsing of MFT records, prefetch files, jump lists, and event logs. Designed for incident responders and security auditors, it provides structured command-line workflows for identifying program execution, lateral movement, and data exfiltration patterns while facilitating visual analysis through Timeline Explorer integration. Users can efficiently detect timestomping, reconstruct user activity, and automate triage collection on live or imaged systems.

Características Principales

01Timestomping detection and chronological timeline generation for forensic investigations

024,121 GitHub stars

03Automated artifact triage collection and processing via KAPE orchestration

04Windows Registry and Event Log deep-dive parsing with RECmd and EvtxECmd

05Detailed NTFS file system analysis using MFTECmd for $MFT and USN Journal parsing

06Execution forensics through Prefetch (PECmd), LNK (LECmd), and Jump List (JLECmd) analysis

Casos de Uso

01Reconstructing granular user activity timelines during incident response engagements

02Analyzing unauthorized data access or exfiltration through shortcut and shellbag analysis

03Investigating malware execution, persistence, and lateral movement on Windows endpoints

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add mukul975/anthropic-cybersecurity-skills performing-windows-artifact-analysis-with-eric-zimmerman-tools

For use in Claude.ai and ChatGPT

Características Principales

01Timestomping detection and chronological timeline generation for forensic investigations

024,121 GitHub stars

03Automated artifact triage collection and processing via KAPE orchestration

04Windows Registry and Event Log deep-dive parsing with RECmd and EvtxECmd

05Detailed NTFS file system analysis using MFTECmd for $MFT and USN Journal parsing

06Execution forensics through Prefetch (PECmd), LNK (LECmd), and Jump List (JLECmd) analysis

Casos de Uso

01Reconstructing granular user activity timelines during incident response engagements

02Analyzing unauthorized data access or exfiltration through shortcut and shellbag analysis

03Investigating malware execution, persistence, and lateral movement on Windows endpoints

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add mukul975/anthropic-cybersecurity-skills performing-windows-artifact-analysis-with-eric-zimmerman-tools

For use in Claude.ai and ChatGPT