OpenSkillIndex← back to search
claude-code

Aiwg forensics-status

Show investigation status dashboard

install
source · Clone the upstream repo
git clone https://github.com/jmagly/aiwg
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/jmagly/aiwg "$T" && mkdir -p ~/.claude/skills && cp -r "$T/agentic/code/frameworks/forensics-complete/skills/forensics-status" ~/.claude/skills/jmagly-aiwg-forensics-status-f48d80 && rm -rf "$T"
manifest: agentic/code/frameworks/forensics-complete/skills/forensics-status/SKILL.md
source content

/forensics-status

Display the current status of active or recent forensic investigations. Shows phase completion, finding counts by severity, artifact inventory, and pending work. Provides a quick situational awareness dashboard for ongoing incident response.

Usage

/forensics-status [options]

Arguments

ArgumentRequiredDescription
--investigationNoSpecific investigation ID to show (e.g., 
INV-2026-02-27-web01
)
--detailedNoShow detailed breakdown of each phase and artifact
--allNoShow all investigations, including completed ones
--pending-onlyNoShow only investigations with incomplete stages
--formatNoOutput format: 
markdown
(default), 
json
--pathNoInvestigation root path (default: 
.aiwg/forensics/
)

Behavior

When invoked, this command:

  1. Discover Investigations

    • Scan 
      .aiwg/forensics/
      for investigation state files
    • Load 
      investigation.yaml
      for each discovered investigation
    • Determine active vs. completed vs. stalled investigations
    • Sort by recency (most recent first)

  2. Phase Status Assessment

    • Check completion status for each workflow stage
    • Map output artifacts to expected stage deliverables
    • Flag stages with missing or incomplete outputs
    • Identify stages that are in-progress vs. not started

  3. Finding Counts

    • Count findings by severity: CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL
    • Summarize IOC counts by type (IP, domain, hash, etc.)
    • Note unreviewed or newly added findings since last status check
    • Flag any findings requiring immediate action

  4. Artifact Inventory

    • List all collected evidence artifacts
    • Note artifacts with pending hash verification
    • Identify gaps in evidence (expected artifacts not collected)
    • Show total storage used by investigation

  5. Pending Work

    • List incomplete stages in priority order
    • Identify blocked stages (dependencies not met)
    • Surface findings that require follow-up investigation
    • List IOCs pending enrichment or validation

  6. Timeline Status

    • Note earliest and latest events in investigation window
    • Show attacker dwell time if timeline is complete
    • Flag time gaps in log coverage

  7. Render Dashboard

    • Display formatted status view
    • Use visual progress indicators for stage completion
    • Highlight CRITICAL findings prominently
    • Provide next-step command suggestions

Examples

Example 1: Current investigation status

/forensics-status

Example 2: Detailed breakdown

/forensics-status --detailed

Example 3: Specific investigation

/forensics-status --investigation INV-2026-02-27-web01

Example 4: All investigations including completed

/forensics-status --all

Example 5: JSON export for tooling

/forensics-status --format json

Output

Status is displayed to console. Optional JSON export to 

.aiwg/forensics/reports/status.json
.

Sample Output (standard)

Investigation Status Dashboard
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Active Investigations: 1
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

INV-2026-02-27-web01 | ACTIVE | Confirmed Breach | web01.internal
────────────────────────────────────────────────────────────────

Phases:
  Reconnaissance   [COMPLETE]  system-profile.md
  Triage           [COMPLETE]  triage-summary.md   Threat: 87/100 CRITICAL
  Acquisition      [COMPLETE]  14 artifacts (140.6 MB)
  Analysis         [COMPLETE]  16 findings
  Timeline         [COMPLETE]  incident-timeline.md
  IOC Extraction   [COMPLETE]  12 IOCs
  Report           [PENDING]   not started

Findings:
  CRITICAL:  2   HIGH: 5   MEDIUM: 6   LOW: 3   INFO: 0
  Total: 16 findings across 5 analysis domains

IOCs:
  IP addresses: 2 (1 known malicious)
  Domains:      1 (1 known C2)
  File hashes:  1
  File paths:   3
  Accounts:     2

Evidence:
  Artifacts collected: 14
  Storage: 140.6 MB
  Integrity: 14/14 verified

Investigation Window:
  Start: 2026-02-26T22:14:33Z (first attacker activity)
  End:   2026-02-27T02:15:00Z (last seen)
  Dwell: 4h 0m 27s

Pending Work:
  1. /forensics-report .aiwg/forensics/ --format full
     Generate final investigation report

  2. Validate: 3 IOCs pending enrichment
     /forensics-ioc .aiwg/forensics/ --enrich

────────────────────────────────────────────────────────────────
Last updated: 2026-02-27T15:02:10Z

Sample Output (detailed)

Investigation Status Dashboard (Detailed)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

INV-2026-02-27-web01
  Target:       192.168.1.50 (web01.internal)
  Started:      2026-02-27T14:30:00Z
  Duration:     31m 44s (analysis), report pending
  Investigator: analyst
  Scope:        full

Phase Detail:
─────────────────────────────────────────────────────────────────

Reconnaissance [COMPLETE, 14:31:42Z, 102s]
  Artifacts:
    system-profile.md (web01-2026-02-27) - 8.4 KB
    system-profile.json                  - 12.1 KB

Triage [COMPLETE, 14:34:15Z, 153s]
  Threat Score: 87/100 (CRITICAL)
  Red Flags:    5 (2 CRITICAL, 2 HIGH, 1 MEDIUM)
  Artifacts:
    triage-summary.md       - 14.2 KB
    volatile/process-list   - 42.1 KB
    volatile/network-conn.  - 8.3 KB

Acquisition [COMPLETE, 14:39:02Z, 287s]
  Evidence collected: 14 artifacts
  Total size: 140.6 MB
  Integrity: 14/14 VERIFIED
  Artifacts:
    auth.log (4.2 MB)        SHA256 VERIFIED
    syslog (12.8 MB)         SHA256 VERIFIED
    journal (87.3 MB)        SHA256 VERIFIED
    [11 more artifacts...]

Analysis [COMPLETE, 14:55:09Z, 967s]
  Log Analyst:         8 findings (1 CRITICAL, 3 HIGH, 3 MEDIUM, 1 LOW)
  Persistence Hunter:  3 findings (1 CRITICAL, 2 HIGH)
  Network Analyst:     5 findings (2 HIGH, 2 MEDIUM, 1 LOW)
  Container Analyst:   skipped (no containers detected)
  Memory Analyst:      skipped (no memory image)

Timeline [COMPLETE, 14:57:33Z, 144s]
  Events: 312 significant (from 1,247 raw)
  Attack phases: Initial Access -> Execution -> Persistence -> C2
  Patient zero: account 'deploy'
  Dwell time: 4h 0m 27s

IOC Extraction [COMPLETE, 14:59:01Z, 88s]
  IOCs extracted: 12
  Enriched: 4 (3 pending)
  Actionable (block): 3 IPs, 1 domain
  For scanning: 1 file hash

Report [PENDING]
  Run: /forensics-report .aiwg/forensics/ --format full

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Recommended Next Action:
  /forensics-report .aiwg/forensics/ --format full

References

  • @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/agents/forensics-orchestrator.md - Orchestrator
  • @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/commands/forensics-investigate.md - Full workflow
  • @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/commands/forensics-report.md - Report generation