Best use case
forensics-status is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
It is a strong fit for teams already working in Codex.
Show investigation status dashboard
Teams using forensics-status should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
$curl -o ~/.claude/skills/forensics-status/SKILL.md --create-dirs "https://raw.githubusercontent.com/jmagly/aiwg/main/.agents/skills/forensics-status/SKILL.md"
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/forensics-status/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How forensics-status Compares
| Feature / Agent | forensics-status | Standard Approach |
|---|---|---|
| Platform Support | Codex | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Show investigation status dashboard
Which AI agents support this skill?
This skill is designed for Codex.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
Cursor vs Codex for AI Workflows
Compare Cursor and Codex for AI coding workflows, repository assistance, debugging, refactoring, and reusable developer skills.
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
AI Agents for Marketing
Discover AI agents for marketing workflows, from SEO and content production to campaign research, outreach, and analytics.
SKILL.md Source
# /forensics-status
Display the current status of active or recent forensic investigations. Shows phase completion, finding counts by severity, artifact inventory, and pending work. Provides a quick situational awareness dashboard for ongoing incident response.
## Usage
`/forensics-status [options]`
## Arguments
| Argument | Required | Description |
|----------|----------|-------------|
| --investigation | No | Specific investigation ID to show (e.g., `INV-2026-02-27-web01`) |
| --detailed | No | Show detailed breakdown of each phase and artifact |
| --all | No | Show all investigations, including completed ones |
| --pending-only | No | Show only investigations with incomplete stages |
| --format | No | Output format: `markdown` (default), `json` |
| --path | No | Investigation root path (default: `.aiwg/forensics/`) |
## Behavior
When invoked, this command:
1. **Discover Investigations**
- Scan `.aiwg/forensics/` for investigation state files
- Load `investigation.yaml` for each discovered investigation
- Determine active vs. completed vs. stalled investigations
- Sort by recency (most recent first)
2. **Phase Status Assessment**
- Check completion status for each workflow stage
- Map output artifacts to expected stage deliverables
- Flag stages with missing or incomplete outputs
- Identify stages that are in-progress vs. not started
3. **Finding Counts**
- Count findings by severity: CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL
- Summarize IOC counts by type (IP, domain, hash, etc.)
- Note unreviewed or newly added findings since last status check
- Flag any findings requiring immediate action
4. **Artifact Inventory**
- List all collected evidence artifacts
- Note artifacts with pending hash verification
- Identify gaps in evidence (expected artifacts not collected)
- Show total storage used by investigation
5. **Pending Work**
- List incomplete stages in priority order
- Identify blocked stages (dependencies not met)
- Surface findings that require follow-up investigation
- List IOCs pending enrichment or validation
6. **Timeline Status**
- Note earliest and latest events in investigation window
- Show attacker dwell time if timeline is complete
- Flag time gaps in log coverage
7. **Render Dashboard**
- Display formatted status view
- Use visual progress indicators for stage completion
- Highlight CRITICAL findings prominently
- Provide next-step command suggestions
## Examples
### Example 1: Current investigation status
```bash
/forensics-status
```
### Example 2: Detailed breakdown
```bash
/forensics-status --detailed
```
### Example 3: Specific investigation
```bash
/forensics-status --investigation INV-2026-02-27-web01
```
### Example 4: All investigations including completed
```bash
/forensics-status --all
```
### Example 5: JSON export for tooling
```bash
/forensics-status --format json
```
## Output
Status is displayed to console. Optional JSON export to `.aiwg/forensics/reports/status.json`.
### Sample Output (standard)
```
Investigation Status Dashboard
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Active Investigations: 1
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
INV-2026-02-27-web01 | ACTIVE | Confirmed Breach | web01.internal
────────────────────────────────────────────────────────────────
Phases:
Reconnaissance [COMPLETE] system-profile.md
Triage [COMPLETE] triage-summary.md Threat: 87/100 CRITICAL
Acquisition [COMPLETE] 14 artifacts (140.6 MB)
Analysis [COMPLETE] 16 findings
Timeline [COMPLETE] incident-timeline.md
IOC Extraction [COMPLETE] 12 IOCs
Report [PENDING] not started
Findings:
CRITICAL: 2 HIGH: 5 MEDIUM: 6 LOW: 3 INFO: 0
Total: 16 findings across 5 analysis domains
IOCs:
IP addresses: 2 (1 known malicious)
Domains: 1 (1 known C2)
File hashes: 1
File paths: 3
Accounts: 2
Evidence:
Artifacts collected: 14
Storage: 140.6 MB
Integrity: 14/14 verified
Investigation Window:
Start: 2026-02-26T22:14:33Z (first attacker activity)
End: 2026-02-27T02:15:00Z (last seen)
Dwell: 4h 0m 27s
Pending Work:
1. /forensics-report .aiwg/forensics/ --format full
Generate final investigation report
2. Validate: 3 IOCs pending enrichment
/forensics-ioc .aiwg/forensics/ --enrich
────────────────────────────────────────────────────────────────
Last updated: 2026-02-27T15:02:10Z
```
### Sample Output (detailed)
```
Investigation Status Dashboard (Detailed)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
INV-2026-02-27-web01
Target: 192.168.1.50 (web01.internal)
Started: 2026-02-27T14:30:00Z
Duration: 31m 44s (analysis), report pending
Investigator: analyst
Scope: full
Phase Detail:
─────────────────────────────────────────────────────────────────
Reconnaissance [COMPLETE, 14:31:42Z, 102s]
Artifacts:
system-profile.md (web01-2026-02-27) - 8.4 KB
system-profile.json - 12.1 KB
Triage [COMPLETE, 14:34:15Z, 153s]
Threat Score: 87/100 (CRITICAL)
Red Flags: 5 (2 CRITICAL, 2 HIGH, 1 MEDIUM)
Artifacts:
triage-summary.md - 14.2 KB
volatile/process-list - 42.1 KB
volatile/network-conn. - 8.3 KB
Acquisition [COMPLETE, 14:39:02Z, 287s]
Evidence collected: 14 artifacts
Total size: 140.6 MB
Integrity: 14/14 VERIFIED
Artifacts:
auth.log (4.2 MB) SHA256 VERIFIED
syslog (12.8 MB) SHA256 VERIFIED
journal (87.3 MB) SHA256 VERIFIED
[11 more artifacts...]
Analysis [COMPLETE, 14:55:09Z, 967s]
Log Analyst: 8 findings (1 CRITICAL, 3 HIGH, 3 MEDIUM, 1 LOW)
Persistence Hunter: 3 findings (1 CRITICAL, 2 HIGH)
Network Analyst: 5 findings (2 HIGH, 2 MEDIUM, 1 LOW)
Container Analyst: skipped (no containers detected)
Memory Analyst: skipped (no memory image)
Timeline [COMPLETE, 14:57:33Z, 144s]
Events: 312 significant (from 1,247 raw)
Attack phases: Initial Access -> Execution -> Persistence -> C2
Patient zero: account 'deploy'
Dwell time: 4h 0m 27s
IOC Extraction [COMPLETE, 14:59:01Z, 88s]
IOCs extracted: 12
Enriched: 4 (3 pending)
Actionable (block): 3 IPs, 1 domain
For scanning: 1 file hash
Report [PENDING]
Run: /forensics-report .aiwg/forensics/ --format full
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Recommended Next Action:
/forensics-report .aiwg/forensics/ --format full
```
## References
- @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/agents/forensics-orchestrator.md - Orchestrator
- @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/commands/forensics-investigate.md - Full workflow
- @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/commands/forensics-report.md - Report generationRelated Skills
customize-status
104
from jmagly/aiwg
Show current AIWG customization status — mode, source path, what you've customized vs upstream
supply-chain-forensics
104
from jmagly/aiwg
SBOM analysis, build pipeline forensics, and dependency verification covering package integrity, build reproducibility, and CI/CD pipeline tampering
Codex
soul-status
104
from jmagly/aiwg
Show SOUL.md enforcement state across all installed providers with quality check
Codex
rlm-status
104
from jmagly/aiwg
Show status of RLM task tree execution
Codex
research-status
104
from jmagly/aiwg
Show research corpus health and statistics
Codex
ralph-status
104
from jmagly/aiwg
Check status of current or previous agent loop
Codex
project-status
104
from jmagly/aiwg
Analyze project state from .aiwg/ artifacts and provide contextual status with recommended next steps
Codex
plugin-status
104
from jmagly/aiwg
List installed Claude Code plugins with version, install date, and enabled status
Codex
pipeline-status
104
from jmagly/aiwg
Show status overview of all LLM inference pipelines in the current project
Codex
memory-forensics
104
from jmagly/aiwg
Volatility 3 memory forensics workflows covering acquisition with LiME and WinPmem, and structured analysis using Volatility 3 plugin reference
Codex
marketing-status
104
from jmagly/aiwg
Project directory path (default current directory)
Codex
linux-forensics
104
from jmagly/aiwg
Generalized Linux incident response and forensic analysis covering Debian/Ubuntu, RHEL/CentOS/Rocky, and SUSE families
Codex