disk-forensics

Analyze disk images, file systems, and memory captures for digital evidence recovery in forensic investigations and CTF challenges. Use when the user mentions 'disk forensics,' 'forensic analysis,' 'disk image,' 'file carving,' 'deleted files,' 'evidence recovery,' 'timeline analysis,' 'memory forensics,' 'volatility,' 'autopsy,' 'sleuthkit,' 'plaso,' 'log2timeline,' 'artifact analysis,' 'chain of custody,' or needs to examine a forensic image.

Quality

88%

Does it follow best practices?

Impact

—

No eval scenarios have been run

Securityby

Passed

No known issues

Quality

Content

77%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This is a strong, actionable forensics skill with excellent workflow clarity and concrete executable commands throughout. Its main weakness is that it's somewhat long for a single SKILL.md without supporting bundle files — the artifact lists, output template, and detailed tool references could benefit from progressive disclosure into separate files. The authorization check and evidence handling principles are well-placed safety boundaries.

Suggestions

Extract the detailed output format template and artifact recovery checklists into separate bundle files (e.g., REPORT_TEMPLATE.md, ARTIFACTS.md) to reduce the main skill's token footprint.

Trim the References section — Claude already knows about NIST SP 800-86 and Sleuth Kit docs; these tokens don't add actionable value.

Dimension	Reasoning	Score
Conciseness	Generally efficient but includes some unnecessary content like the References section (Claude knows these exist), some explanatory text that could be trimmed (e.g., 'For encrypted volumes, identify the encryption type and request the key/passphrase'), and the cross-references section adds moderate overhead. The authorization check, while important, is somewhat verbose.	2 / 3
Actionability	Provides fully executable, copy-paste-ready commands throughout (fdisk, mmls, mount, fls, icat, foremost, bulk_extractor, etc.) with specific flags and arguments. Each step has concrete commands rather than abstract descriptions, and the output format template is directly usable.	3 / 3
Workflow Clarity	Clear 8-step sequential methodology with explicit validation at Step 1 (hash verification before proceeding), read-only mounting constraints, and anomaly detection flags in Step 8. The workflow naturally builds from identification → integrity → partition → mount → analysis → recovery → timeline, with the authorization check as a gate before any work begins.	3 / 3
Progressive Disclosure	The content is well-structured with clear sections and headers, but it's a fairly long monolithic document (~150 lines of substantive content) with no bundle files to offload detailed reference material. The artifact recovery section and output format template could reasonably be split into separate reference files. Cross-references to other skills are mentioned but no supporting bundle files exist.	2 / 3
	Total	10 / 12 Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This is a strong skill description that clearly defines its forensic analysis domain, lists concrete capabilities, and provides an extensive 'Use when...' clause with both general and tool-specific trigger terms. It uses proper third-person voice and is well-structured for skill selection among many options. The only minor note is that the list of trigger terms is quite long, but each term is relevant and adds value.

Dimension	Reasoning	Score
Specificity	Lists multiple specific concrete actions: 'Analyze disk images, file systems, and memory captures for digital evidence recovery' covers distinct forensic activities. It also references specific contexts like 'forensic investigations and CTF challenges.'	3 / 3
Completeness	Clearly answers both 'what' (analyze disk images, file systems, memory captures for digital evidence recovery) and 'when' (explicit 'Use when...' clause with a comprehensive list of trigger terms and scenarios).	3 / 3
Trigger Term Quality	Excellent coverage of natural trigger terms users would say, including both general terms ('disk forensics,' 'deleted files,' 'evidence recovery') and specific tool names ('volatility,' 'autopsy,' 'sleuthkit,' 'plaso,' 'log2timeline'). These are terms a user would naturally use when seeking forensic analysis help.	3 / 3
Distinctiveness Conflict Risk	Highly distinctive niche in digital forensics with specific tool names and domain-specific terminology. Unlikely to conflict with other skills unless there's another forensics-specific skill, as the triggers are very domain-specific.	3 / 3
	Total	12 / 12 Passed

Validation

90%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 10 / 11 Passed

Validation for skill structure

Criteria	Description	Result
allowed_tools_field	'allowed-tools' contains unusual tool name(s)	Warning

	Total	10 / 11 Passed

Repository: briiirussell/cybersecurity-skills
Commit: c9ade03

Reviewed: 27 days ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.