Best use case
forensics-profile is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
It is a strong fit for teams already working in Codex.
Build target system profile via SSH or cloud API enumeration
Teams using forensics-profile should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/forensics-profile/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How forensics-profile Compares
| Feature / Agent | forensics-profile | Standard Approach |
|---|---|---|
| Platform Support | Codex | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Build target system profile via SSH or cloud API enumeration
Which AI agents support this skill?
This skill is designed for Codex.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
Cursor vs Codex for AI Workflows
Compare Cursor and Codex for AI coding workflows, repository assistance, debugging, refactoring, and reusable developer skills.
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
AI Agents for Marketing
Discover AI agents for marketing workflows, from SEO and content production to campaign research, outreach, and analytics.
SKILL.md Source
# /forensics-profile Build a comprehensive system profile of the target by enumerating OS details, running services, user accounts, installed packages, network configuration, and security controls. The profile establishes a baseline for subsequent investigation stages. ## Usage `/forensics-profile <target> [options]` ## Arguments | Argument | Required | Description | |----------|----------|-------------| | target | Yes | SSH connection string (`ssh://user@host:port`) or cloud target (`aws://account-id/region`) | | --output | No | Custom output directory (default: `.aiwg/forensics/profiles/<hostname>-<date>/`) | | --deep | No | Perform deep enumeration including package inventory and kernel config | | --cloud | No | Cloud provider context: `aws`, `azure`, or `gcp` | | --no-network | No | Skip network enumeration (faster, less intrusive) | | --format | No | Output format: `markdown` (default) or `json` | ## Behavior When invoked, this command: 1. **Parse Target** - Resolve hostname or IP from connection string - Verify SSH connectivity or cloud API access - Detect operating system family (Linux distro, version, kernel) - Record target identifier for artifact naming 2. **System Enumeration** - Collect OS version, kernel version, architecture - Enumerate running processes and services - List installed packages and versions - Check uptime and last reboot time - Identify virtualization or container environment 3. **User and Account Inventory** - Enumerate local user accounts from `/etc/passwd` - Identify privileged users (UID 0, sudo group members) - Check for recently created or modified accounts - Review `/etc/sudoers` and sudoers.d entries - List active login sessions and recent auth history 4. **Network Baseline** - Capture listening ports and bound services - Document active network connections - Record network interfaces and IP assignments - Identify firewall rules (iptables, nftables, ufw) - Note DNS resolver configuration 5. **Security Control Assessment** - Check for security tools (auditd, fail2ban, SELinux, AppArmor) - Review SSH daemon configuration - Identify logging configuration and log rotation - Note enabled/disabled security features 6. **Save Profile Artifact** - Write `system-profile.md` with structured findings - Write `system-profile.json` for machine processing - Generate SHA-256 hash of profile files - Log acquisition metadata and timestamps ## Examples ### Example 1: Basic SSH profile ```bash /forensics-profile ssh://admin@192.168.1.50:22 ``` ### Example 2: Deep profile with custom output ```bash /forensics-profile ssh://root@10.0.0.5 --deep --output .aiwg/forensics/profiles/web-server/ ``` ### Example 3: Cloud target ```bash /forensics-profile aws://123456789012/us-east-1 --cloud aws ``` ### Example 4: JSON output for pipeline use ```bash /forensics-profile ssh://analyst@host --format json ``` ## Output Artifacts are saved to `.aiwg/forensics/profiles/<hostname>-<date>/`: ``` .aiwg/forensics/profiles/web01-2026-02-27/ ├── system-profile.md # Human-readable profile ├── system-profile.json # Machine-readable profile ├── acquisition-log.yaml # Timing and metadata └── checksums.sha256 # Integrity hashes ``` ### Sample Output ``` Profiling Target: 192.168.1.50 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Step 1: Connecting to target Connected via SSH (admin@192.168.1.50:22) OS detected: Ubuntu 22.04.3 LTS (kernel 5.15.0-91) Step 2: System enumeration Hostname: web01.internal Uptime: 47 days, 3 hours Architecture: x86_64 Running services: 23 active units Installed packages: 412 Step 3: User inventory Total accounts: 28 (4 with shell access) Privileged users: root, deploy Sudo group members: admin, deploy Active sessions: 2 Step 4: Network baseline Interfaces: eth0 (10.0.1.50/24), lo Listening ports: 22 (sshd), 80 (nginx), 443 (nginx), 3306 (mysqld) Active connections: 14 established Firewall: ufw active (12 rules) Step 5: Security controls auditd: active fail2ban: active (3 jails) AppArmor: enforcing (18 profiles) SSH: password auth disabled, key-only ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Profile complete. Output: .aiwg/forensics/profiles/web01-2026-02-27/ Next Steps: /forensics-triage ssh://admin@192.168.1.50 - Capture volatile data /forensics-investigate ssh://admin@192.168.1.50 --scope full ``` ## References - @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/agents/recon-agent.md - Recon Agent - @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/templates/system-profile.md - Profile template - @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/commands/forensics-triage.md - Next stage
Related Skills
supply-chain-forensics
SBOM analysis, build pipeline forensics, and dependency verification covering package integrity, build reproducibility, and CI/CD pipeline tampering
memory-forensics
Volatility 3 memory forensics workflows covering acquisition with LiME and WinPmem, and structured analysis using Volatility 3 plugin reference
linux-forensics
Generalized Linux incident response and forensic analysis covering Debian/Ubuntu, RHEL/CentOS/Rocky, and SUSE families
forensics-triage
Quick triage investigation following RFC 3227 volatility order
forensics-timeline
Build correlated event timeline from multiple sources
forensics-status
Show investigation status dashboard
forensics-report
Generate forensic investigation report
forensics-ioc
Extract and enrich indicators of compromise
forensics-investigate
Full multi-agent investigation workflow
forensics-hunt
Threat hunt using Sigma rules against log sources
forensics-acquire
Evidence acquisition with chain of custody and hash verification
container-forensics
Docker, containerd/CRI-O, and Kubernetes forensic investigation covering container inventory (docker and crictl), privilege checks, image verification, layer analysis (dive), escape detection, eBPF runtime monitoring (Falco, Tetragon, Tracee), K8s RBAC audit, etcd security audit, and API server audit log analysis