A collection of LLM skills for DFIR (Digital Forensics and Incident Response) tooling.
| Skill | Description |
|---|---|
| amcacheparser | Parse and extract Windows Amcache.hve registry hive using Eric Zimmerman's AmcacheParser. |
| appcompatcacheparser | Parse and extract Windows Application Compatibility Cache (ShimCache) from SYSTEM registry hive using Eric Zimmerman's AppCompatCacheParser. |
| evtxecmd | Parse and extract Windows Event Log (.evtx) files using Eric Zimmerman's EvtxECmd. |
| jlecmd | Parse and extract Windows Jump List files (AutomaticDestinations and CustomDestinations) using Eric Zimmerman's JLECmd. |
| lecmd | Parse and extract Windows shortcut (.lnk) files using Eric Zimmerman's LECmd. |
| mftecmd | Parse and extract NTFS artifacts ($MFT, $J USN Journal, $Boot, $SDS, $I30) using Eric Zimmerman's MFTECmd. |
| pecmd | Parse and extract Windows Prefetch (.pf) files using Eric Zimmerman's PECmd. |
| rbcmd | Parse and extract Windows Recycle Bin artifacts ($I files and INFO2) using Eric Zimmerman's RBCmd. |
| recentfilecacheparser | Parse and extract Windows RecentFileCache.bcf files using Eric Zimmerman's RecentFileCacheParser. |
| recmd | Parse and extract Windows Registry hive data using Eric Zimmerman's RECmd. |
| sbecmd | Parse and extract Windows ShellBags data from registry hives using Eric Zimmerman's SBECmd. |
| sqlecmd | Parse and extract data from SQLite databases using Eric Zimmerman's SQLECmd. |
| srumecmd | Parse and extract Windows SRUM (System Resource Usage Monitor) database using Eric Zimmerman's SrumECmd. |
| sumecmd | Parse and extract Windows User Access Logging (UAL) databases using Eric Zimmerman's SumECmd. |
Each skill in the skills/ directory contains detailed instructions for using specific forensic tools, including command syntax, options, and workflow examples.
Refer to CLAUDE.md for tool resolution and case directory setup guidelines.