Forensics Framework

Forensics Framework

You're investigating an incident. You have a compromised host, a cloud account with suspicious activity, or a container that shouldn't be running. You need structured investigation that doesn't miss steps, evidence that's preserved correctly, and a report you can hand to someone else.

The forensics framework covers the full DFIR lifecycle: target profiling, volatile data capture, evidence acquisition, multi-source analysis, timeline reconstruction, IOC extraction, and reporting. It follows NIST SP 800-86, MITRE ATT&CK, and RFC 3227 (evidence volatility ordering).


Deploy it

npm install -g aiwg
cd /path/to/your/investigation
aiwg use forensics
claude .

The investigation workflow

profile → triage → acquire → analyze → timeline → report

Each phase has a dedicated command. You can run the full pipeline or jump to any stage.


Starting an investigation

Full investigation from scratch

/forensics-investigate ssh://user@host:port --scope full

This orchestrates the entire workflow. The agent profiles the target first, then guides structured analysis through each phase.

Quick triage (volatile data first)

RFC 3227 requires capturing volatile data before anything else — running processes, network connections, memory maps — because they disappear on reboot or shutdown.

/forensics-triage ssh://user@host:port

This captures network state, process list, memory maps, deleted-but-running binaries, and kernel modules before touching disk.

Just profile a target

Before investigating, understand what you're dealing with:

/forensics-profile ssh://user@host:port

Produces a target profile: OS, services, users, filesystem layout, installed tools available for forensics. This profile parameterizes all subsequent analysis so the framework adapts to what's actually on the system.


Analysis agents

Each analysis type has a specialist agent:

AgentWhat it does
`triage-agent`Volatile data capture, RFC 3227 ordering
`acquisition-agent`Evidence collection, hash verification, chain of custody
`log-analyst`auth.log, syslog, journal, application log parsing
`network-analyst`Traffic analysis, C2 detection, lateral movement
`persistence-hunter`Cron, systemd, SSH keys, PAM modules, kernel modules
`memory-analyst`Volatility 3: process analysis, rootkit detection, credential extraction
`container-analyst`Docker, containerd, Kubernetes forensics
`cloud-analyst`AWS/Azure/GCP audit logs, IAM review, API anomalies
`ioc-analyst`IOC extraction, enrichment, STIX 2.1 formatting
`timeline-builder`Multi-source event correlation, chronological reconstruction

Building an event timeline

After evidence is collected, correlate events from multiple sources:

/forensics-timeline .aiwg/forensics/findings/target-2026-03-25/

This correlates auth logs, syslog, journal, filesystem timestamps, and application logs into a single chronological timeline with attribution. Essential for establishing what happened when and in what order.


IOC extraction

Extract indicators of compromise from all collected evidence and format them for threat intel sharing:

/forensics-ioc .aiwg/forensics/findings/

Produces a STIX 2.1 IOC register with IPs, domains, file hashes, registry keys, and behavioral indicators. Ready to import into your SIEM or share with your team.


Threat hunting

If you suspect a specific threat but haven't found it yet:

/forensics-hunt --sigma-rules apt29,cobalt-strike

Applies Sigma rules against collected logs to surface matching activity. The `sigma-hunting` skill runs against whatever evidence is in scope.


Generating the report

When the investigation is complete:

/forensics-report .aiwg/forensics/ --format full

Produces a structured forensic report with executive summary, technical findings, event timeline, IOC register, and remediation recommendations. The `--format executive` flag produces a shortened version for non-technical stakeholders.


Cloud investigations

For AWS, Azure, or GCP incidents:

Investigate suspicious IAM activity in this AWS account
Review CloudTrail logs for credential theft indicators

The `cloud-analyst` agent covers audit log collection, IAM review, network flow analysis, and API activity anomaly detection across all three major providers.


Container investigations

For compromised containers or Kubernetes clusters:

Analyze this container for privilege escalation vectors
Review the Kubernetes cluster for unauthorized workloads

The `container-analyst` agent covers Docker and containerd configuration, image layer analysis, volume and network inspection, and Kubernetes API server audit logs.


Evidence handling

All evidence collection follows chain of custody procedures:

  • SHA-256 hashes verified at acquisition
  • Chain of custody documented in `.aiwg/forensics/custody/`
  • Evidence packaged following OAIS standards
  • Integrity verification available at any point via `/verify-archive`

Key references

  • `/forensics-status` — Current investigation status dashboard
  • `/forensics-acquire` — Evidence acquisition with chain of custody
  • `/forensics-profile` — Build target system profile
  • `@agentic/code/frameworks/forensics-complete/README.md` — Full framework documentation