| name | forensics-quickref |
| description | AUTO-INVOKE when user mentions forensics, incident response, IOC, log analysis, evidence preservation, breach investigation, threat hunting, attack timeline. Forensics framework quick reference — discovery phrases for incident response, log analysis, evidence preservation, IOC extraction. |
| platforms | ["codex"] |
Forensics Framework — Quick Reference
This is your always-loaded directory for the AIWG forensics-complete framework. It does not list every skill. Instead, it teaches the framework's mental model and gives you curated search phrases that map to aiwg discover lookups.
Canonical access pattern: discover → show
When you find a candidate via aiwg discover, fetch its body with aiwg show <type> <name>. Never use find, ls, Glob, or direct Read on <provider>/skills/ paths — those reflect the kernel-pivot deploy state, not the full surface.
aiwg discover "<phrase>"
aiwg show skill <name>
If your platform's Skill tool errors on a non-kernel skill (expected — most aren't kernel), the fallback is aiwg show, never filesystem browsing. Last-resort if aiwg itself is broken: read directly from $AIWG_ROOT/agentic/code/... (the canonical corpus, always present).
How to use this quickref
- Identify the capability domain the user's need belongs to
- Pick a curated phrase from that domain (or paraphrase the user's words)
- Run
aiwg discover "<phrase>" and surface the top match (or top-3) to the user
- If the top result isn't right, iterate the phrasing — the scorer is forgiving
Do not enumerate skills from memory. The framework ships ~20 skills and discovery is the lookup surface.
What this framework is for
Digital forensics & incident response. RFC 3227-aligned triage, multi-source timeline reconstruction, IOC extraction, chain-of-custody preservation, and Sigma-rule-based threat hunting. Multi-platform (Linux / cloud / containers / memory).
Capability domains
| Domain | Covers |
|---|
| Triage & acquisition | Quick host triage following RFC 3227, evidence acquisition with chain of custody, target system profiling |
| Platform-specific analysis | Linux, memory dumps, cloud (AWS/Azure/GCP), Docker/K8s containers, supply chain |
| Investigation orchestration | Full multi-agent investigation, log correlation, IOC extraction & STIX 2.1 mapping |
| Threat hunting | Sigma rule application across log sources |
| Reporting | Investigation reports with evidence, timeline reconstruction |
Curated discovery phrases
Triage & acquisition
aiwg discover "forensic triage"
aiwg discover "evidence acquisition"
aiwg discover "target system profile"
Platform-specific analysis
aiwg discover "linux forensics"
aiwg discover "memory forensics"
aiwg discover "cloud forensics"
aiwg discover "container forensics"
aiwg discover "supply chain compromise"
Investigation orchestration
aiwg discover "forensics investigation"
aiwg discover "log analysis"
aiwg discover "extract iocs"
aiwg discover "build forensic timeline"
Threat hunting
aiwg discover "threat hunt with sigma rules"
aiwg discover "forensics hunt"
Reporting & integrity
aiwg discover "forensic report"
aiwg discover "investigation status"
aiwg discover "evidence preservation"
aiwg discover "integrity verification"
Mental model — the investigation pipeline
Triage (RFC 3227) → Acquisition → Platform analysis → IOC extraction → Reporting
forensics-triage forensics-acquire linux-forensics forensics-ioc forensics-report
memory-forensics
cloud-forensics
container-forensics
Cross-cutting: forensics-hunt (Sigma) and log-analysis (correlation) feed both Analysis and IOC extraction.
Artifact directory layout
Forensic artifacts go under .aiwg/forensics/ when the framework is in use:
.aiwg/forensics/
├── triage/ # RFC 3227 quick captures
├── evidence/ # Chain-of-custody-preserved evidence
├── timelines/ # Reconstructed event timelines
├── iocs/ # Extracted indicators of compromise
├── reports/ # Investigation reports
└── chain-of-custody.md # Master CoC log
When the curated phrases don't fit
aiwg discover "<your need, paraphrased>" --limit 5
If the top-3 results all score below ~0.20, the framework genuinely may not have a curated skill for that need. Then improvise — but always check first.
Anti-pattern: don't enumerate
If a user asks "what forensics skills are available?", do not list from this skill. Run:
aiwg discover --type skill --limit 20 "<their interest area>"
This skill is the orientation layer. The index is the lookup.