Performing Endpoint Forensics Investigation When to Use Use this skill when: - Investigating a confirmed or suspected endpoint compromise requiring forensic analysis - Collecting volatile and non-volatile evidence for incident response or legal proceedings - Analyzing memory dumps for malware, injected code, or credential theft artifacts - Reconstructing attacker timelines from endpoint artifacts (prefetch, shimcache, amcache) Do not use this skill for live threat hunting (use EDR/SIEM) or network forensics. Prerequisites - Forensic workstation with analysis tools (Volatility 3, KAPE, Autopsy…