disk-forensics
Analyze disk images, file systems, and memory captures for digital evidence recovery in forensic investigations and CTF challenges. Use when the user mentions 'disk forensics,' 'forensic analysis,' 'disk image,' 'file carving,' 'deleted files,' 'evidence recovery,' 'timeline analysis,' 'memory forensics,' 'volatility,' 'autopsy,' 'sleuthkit,' 'plaso,' 'log2timeline,' 'artifact analysis,' 'chain of custody,' or needs to examine a forensic image.
72
88%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly defines its forensic analysis domain, lists concrete capabilities, and provides an extensive 'Use when...' clause with both general and tool-specific trigger terms. It uses proper third-person voice and is well-structured for skill selection among many options. The only minor note is that the list of trigger terms is quite long, but each term is relevant and adds value.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'Analyze disk images, file systems, and memory captures for digital evidence recovery' covers distinct forensic activities. It also references specific contexts like 'forensic investigations and CTF challenges.' | 3 / 3 |
Completeness | Clearly answers both 'what' (analyze disk images, file systems, memory captures for digital evidence recovery) and 'when' (explicit 'Use when...' clause with a comprehensive list of trigger terms and scenarios). | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural trigger terms users would say, including both general terms ('disk forensics,' 'deleted files,' 'evidence recovery') and specific tool names ('volatility,' 'autopsy,' 'sleuthkit,' 'plaso,' 'log2timeline'). These are terms a user would naturally use when seeking forensic analysis help. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche in digital forensics with specific tool names and domain-specific terminology. Unlikely to conflict with other skills unless there's another forensics-specific skill, as the triggers are very domain-specific. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
77%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a strong, actionable forensics skill with excellent workflow clarity and concrete executable commands throughout. Its main weakness is that it's somewhat long for a single SKILL.md without supporting bundle files — the artifact lists, output template, and detailed tool references could benefit from progressive disclosure into separate files. The authorization check and evidence handling principles are well-placed safety boundaries.
Suggestions
Extract the detailed output format template and artifact recovery checklists into separate bundle files (e.g., REPORT_TEMPLATE.md, ARTIFACTS.md) to reduce the main skill's token footprint.
Trim the References section — Claude already knows about NIST SP 800-86 and Sleuth Kit docs; these tokens don't add actionable value.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Generally efficient but includes some unnecessary content like the References section (Claude knows these exist), some explanatory text that could be trimmed (e.g., 'For encrypted volumes, identify the encryption type and request the key/passphrase'), and the cross-references section adds moderate overhead. The authorization check, while important, is somewhat verbose. | 2 / 3 |
Actionability | Provides fully executable, copy-paste-ready commands throughout (fdisk, mmls, mount, fls, icat, foremost, bulk_extractor, etc.) with specific flags and arguments. Each step has concrete commands rather than abstract descriptions, and the output format template is directly usable. | 3 / 3 |
Workflow Clarity | Clear 8-step sequential methodology with explicit validation at Step 1 (hash verification before proceeding), read-only mounting constraints, and anomaly detection flags in Step 8. The workflow naturally builds from identification → integrity → partition → mount → analysis → recovery → timeline, with the authorization check as a gate before any work begins. | 3 / 3 |
Progressive Disclosure | The content is well-structured with clear sections and headers, but it's a fairly long monolithic document (~150 lines of substantive content) with no bundle files to offload detailed reference material. The artifact recovery section and output format template could reasonably be split into separate reference files. Cross-references to other skills are mentioned but no supporting bundle files exist. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
Total | 10 / 11 Passed | |
- Repository
- briiirussell/cybersecurity-skills
- Commit
c9ade03
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.