analyzing-windows-amcache-artifacts
Parses and analyzes the Windows Amcache.hve registry hive to extract evidence of program execution, application installation, and driver loading for digital forensics investigations. Uses Eric Zimmerman's AmcacheParser and Timeline Explorer for artifact extraction, SHA-1 hash correlation with threat intel, and timeline reconstruction. Activates for requests involving Amcache forensics, program execution evidence, Windows artifact analysis, or application compatibility cache investigation.
90
88%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly defines a narrow forensic analysis domain with specific actions, tools, and trigger conditions. It uses third-person voice throughout, lists concrete capabilities, and provides explicit activation criteria. The description is well-structured and would allow Claude to confidently select this skill when Amcache-related forensic analysis is needed.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'parses and analyzes the Windows Amcache.hve registry hive', 'extract evidence of program execution, application installation, and driver loading', 'SHA-1 hash correlation with threat intel', 'timeline reconstruction'. Also names specific tools (AmcacheParser, Timeline Explorer). | 3 / 3 |
Completeness | Clearly answers 'what' (parses Amcache.hve, extracts execution/installation/driver evidence, SHA-1 correlation, timeline reconstruction) and 'when' with an explicit trigger clause: 'Activates for requests involving Amcache forensics, program execution evidence, Windows artifact analysis, or application compatibility cache investigation.' | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords a forensics analyst would use: 'Amcache.hve', 'registry hive', 'program execution', 'digital forensics', 'Amcache forensics', 'Windows artifact analysis', 'application compatibility cache', 'SHA-1 hash', 'threat intel', 'timeline'. Good coverage of domain-specific terms users would naturally mention. | 3 / 3 |
Distinctiveness Conflict Risk | Highly specific niche: Windows Amcache.hve forensic analysis with named tools (AmcacheParser, Timeline Explorer). This is unlikely to conflict with other skills given the very specific artifact type and forensic domain focus. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
77%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a strong, highly actionable forensic analysis skill with clear workflow steps, executable commands, and a comprehensive verification checklist. Its main weakness is length—the Key Concepts glossary and some explanatory text could be trimmed or moved to a reference file to improve token efficiency. The workflow clarity and actionability are excellent, making this skill very usable in practice.
Suggestions
Move the Key Concepts table to a separate REFERENCE.md file and link to it, reducing the main skill's token footprint.
Remove definitions Claude already knows (e.g., SHA-1 Hash, Transaction Logs) or reduce them to one-line contextual notes only where forensic-specific meaning differs from general knowledge.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is fairly detailed and well-structured but includes some unnecessary verbosity. The Key Concepts table explains terms like 'SHA-1 Hash' and 'Transaction Logs' that Claude already knows. The 'When to Use' section is somewhat lengthy with explanations that could be tightened. However, most content is domain-specific forensic knowledge that adds value. | 2 / 3 |
Actionability | The skill provides fully executable PowerShell commands, specific AmcacheParser CLI flags, concrete column names to examine, specific filter criteria, and real tool names with exact usage patterns. The commands are copy-paste ready and include multiple options for different scenarios. | 3 / 3 |
Workflow Clarity | The 7-step workflow is clearly sequenced from acquisition through parsing, analysis, correlation, and timeline building. The verification checklist at the end serves as an explicit validation checkpoint. Each step builds logically on the previous one, and the skill includes guidance on what to do when suspicious indicators are found. | 3 / 3 |
Progressive Disclosure | The content is well-organized with clear headers and logical sections, but it's a monolithic document (~200 lines) that could benefit from splitting detailed reference material (like the Key Concepts table, column definitions, and hash correlation procedures) into separate reference files. No external file references are provided for advanced topics. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
c15f73d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.