Aiwg forensics-profile

Build target system profile via SSH or cloud API enumeration

install

source · Clone the upstream repo

git clone https://github.com/jmagly/aiwg

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/jmagly/aiwg "$T" && mkdir -p ~/.claude/skills && cp -r "$T/.agents/skills/forensics-profile" ~/.claude/skills/jmagly-aiwg-forensics-profile && rm -rf "$T"

manifest: .agents/skills/forensics-profile/SKILL.md

source content

/forensics-profile

Build a comprehensive system profile of the target by enumerating OS details, running services, user accounts, installed packages, network configuration, and security controls. The profile establishes a baseline for subsequent investigation stages.

Usage

/forensics-profile <target> [options]

Arguments

Argument	Required	Description
target	Yes	SSH connection string ( `ssh://user@host:port` ) or cloud target ( `aws://account-id/region` )
--output	No	Custom output directory (default: `.aiwg/forensics/profiles/<hostname>-<date>/` )
--deep	No	Perform deep enumeration including package inventory and kernel config
--cloud	No	Cloud provider context: `aws` , `azure` , or `gcp`
--no-network	No	Skip network enumeration (faster, less intrusive)
--format	No	Output format: `markdown` (default) or `json`

Behavior

When invoked, this command:

Parse Target
- Resolve hostname or IP from connection string
- Verify SSH connectivity or cloud API access
- Detect operating system family (Linux distro, version, kernel)
- Record target identifier for artifact naming
System Enumeration
- Collect OS version, kernel version, architecture
- Enumerate running processes and services
- List installed packages and versions
- Check uptime and last reboot time
- Identify virtualization or container environment
User and Account Inventory
- Enumerate local user accounts from
```
/etc/passwd
```
- Identify privileged users (UID 0, sudo group members)
- Check for recently created or modified accounts
- Review
```
/etc/sudoers
```
  and sudoers.d entries
- List active login sessions and recent auth history
Network Baseline
- Capture listening ports and bound services
- Document active network connections
- Record network interfaces and IP assignments
- Identify firewall rules (iptables, nftables, ufw)
- Note DNS resolver configuration
Security Control Assessment
- Check for security tools (auditd, fail2ban, SELinux, AppArmor)
- Review SSH daemon configuration
- Identify logging configuration and log rotation
- Note enabled/disabled security features
Save Profile Artifact
- Write
```
system-profile.md
```
  with structured findings
- Write
```
system-profile.json
```
  for machine processing
- Generate SHA-256 hash of profile files
- Log acquisition metadata and timestamps

Examples

Example 1: Basic SSH profile

/forensics-profile ssh://admin@192.168.1.50:22

Example 2: Deep profile with custom output

/forensics-profile ssh://root@10.0.0.5 --deep --output .aiwg/forensics/profiles/web-server/

Example 3: Cloud target

/forensics-profile aws://123456789012/us-east-1 --cloud aws

Example 4: JSON output for pipeline use

/forensics-profile ssh://analyst@host --format json

Output

Artifacts are saved to

.aiwg/forensics/profiles/<hostname>-<date>/

.aiwg/forensics/profiles/web01-2026-02-27/
├── system-profile.md         # Human-readable profile
├── system-profile.json       # Machine-readable profile
├── acquisition-log.yaml      # Timing and metadata
└── checksums.sha256          # Integrity hashes

Sample Output

Profiling Target: 192.168.1.50
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Step 1: Connecting to target
  Connected via SSH (admin@192.168.1.50:22)
  OS detected: Ubuntu 22.04.3 LTS (kernel 5.15.0-91)

Step 2: System enumeration
  Hostname: web01.internal
  Uptime: 47 days, 3 hours
  Architecture: x86_64
  Running services: 23 active units
  Installed packages: 412

Step 3: User inventory
  Total accounts: 28 (4 with shell access)
  Privileged users: root, deploy
  Sudo group members: admin, deploy
  Active sessions: 2

Step 4: Network baseline
  Interfaces: eth0 (10.0.1.50/24), lo
  Listening ports: 22 (sshd), 80 (nginx), 443 (nginx), 3306 (mysqld)
  Active connections: 14 established
  Firewall: ufw active (12 rules)

Step 5: Security controls
  auditd: active
  fail2ban: active (3 jails)
  AppArmor: enforcing (18 profiles)
  SSH: password auth disabled, key-only

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Profile complete.

Output: .aiwg/forensics/profiles/web01-2026-02-27/
Next Steps:
  /forensics-triage ssh://admin@192.168.1.50    - Capture volatile data
  /forensics-investigate ssh://admin@192.168.1.50 --scope full

References

@$AIWG_ROOT/agentic/code/frameworks/forensics-complete/agents/recon-agent.md - Recon Agent
@$AIWG_ROOT/agentic/code/frameworks/forensics-complete/templates/system-profile.md - Profile template
@$AIWG_ROOT/agentic/code/frameworks/forensics-complete/commands/forensics-triage.md - Next stage