Best use case
forensics-timeline is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
It is a strong fit for teams already working in Codex.
Build correlated event timeline from multiple sources
Teams using forensics-timeline should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
$curl -o ~/.claude/skills/forensics-timeline/SKILL.md --create-dirs "https://raw.githubusercontent.com/jmagly/aiwg/main/.agents/skills/forensics-timeline/SKILL.md"
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/forensics-timeline/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How forensics-timeline Compares
| Feature / Agent | forensics-timeline | Standard Approach |
|---|---|---|
| Platform Support | Codex | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Build correlated event timeline from multiple sources
Which AI agents support this skill?
This skill is designed for Codex.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
Cursor vs Codex for AI Workflows
Compare Cursor and Codex for AI coding workflows, repository assistance, debugging, refactoring, and reusable developer skills.
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
AI Agents for Marketing
Discover AI agents for marketing workflows, from SEO and content production to campaign research, outreach, and analytics.
SKILL.md Source
# /forensics-timeline Correlate events from multiple forensic sources into a unified chronological timeline. Normalizes timestamps across log files, network captures, process events, and file system artifacts. Reconstructs the attack chain and maps events to MITRE ATT&CK techniques. ## Usage `/forensics-timeline <findings-path> [options]` ## Arguments | Argument | Required | Description | |----------|----------|-------------| | findings-path | Yes | Path to findings directory (e.g., `.aiwg/forensics/findings/web01-2026-02-27/`) | | --window | No | Time window filter: `start/end` in ISO 8601 (e.g., `2026-02-26T18:00:00Z/2026-02-27T06:00:00Z`) | | --sources | No | Event sources to include: `logs`, `network`, `process`, `filesystem`, `all` (default: `all`) | | --mitre | No | Annotate events with MITRE ATT&CK technique IDs | | --output | No | Output path (default: `.aiwg/forensics/timeline/incident-timeline.md`) | | --granularity | No | Minimum event significance level: `all`, `medium`, `high` (default: `medium`) | | --format | No | Output format: `markdown` (default), `json`, `csv` | ## Behavior When invoked, this command: 1. **Discover Evidence Sources** - Scan findings directory for all log files, captures, and analysis outputs - Identify available sources: auth logs, syslog, journal, audit, network, process lists - Record source timestamps and timezone/offset metadata - Note any gaps in log coverage 2. **Normalize Timestamps** - Convert all timestamps to UTC - Detect and compensate for clock skew between sources - Handle timezone-naive log entries using system timezone from profile - Flag entries with ambiguous or inconsistent timestamps 3. **Event Extraction** - Parse authentication events: logins, logouts, sudo, su, failed attempts - Extract network events: connections established, DNS queries, port scans - Extract process events: spawns, exits, executions from unusual paths - Extract filesystem events: file modifications, creations, deletions (if auditd active) - Extract privilege events: uid changes, capability grants, SUID executions - Extract persistence events: cron modifications, service installs, key changes 4. **Correlation and Deduplication** - Match related events across sources (e.g., SSH login + process spawn) - Deduplicate events appearing in multiple log sources - Link network connections to responsible processes via PID correlation - Group events into logical attack phases 5. **Attack Chain Reconstruction** - Identify initial access vector (brute force, key use, web exploit, etc.) - Map progression: initial access, execution, persistence, lateral movement - Identify patient zero: first compromised account or process - Estimate attacker dwell time from first to last activity - Determine data exfiltration indicators 6. **MITRE ATT&CK Mapping** (when `--mitre` specified) - Map each significant event to ATT&CK technique IDs - Label tactics: TA0001 Initial Access, TA0002 Execution, TA0003 Persistence, etc. - Note relevant sub-techniques where applicable 7. **Timeline Output** - Write chronological event table - Include severity, source, raw event, and interpretation for each entry - Highlight critical events (red flags, attack milestones) - Generate attack chain narrative summary - Save `incident-timeline.md` ## Examples ### Example 1: Standard timeline ```bash /forensics-timeline .aiwg/forensics/findings/web01-2026-02-27/ ``` ### Example 2: Filtered time window ```bash /forensics-timeline .aiwg/forensics/findings/ --window 2026-02-26T20:00:00Z/2026-02-27T04:00:00Z ``` ### Example 3: Network and process sources with MITRE mapping ```bash /forensics-timeline .aiwg/forensics/ --sources network,process --mitre ``` ### Example 4: High-significance events only, JSON output ```bash /forensics-timeline .aiwg/forensics/ --granularity high --format json ``` ## Output Artifacts are saved to `.aiwg/forensics/timeline/`: ``` .aiwg/forensics/timeline/ ├── incident-timeline.md # Full chronological timeline ├── attack-chain.md # Attack progression narrative ├── timeline.json # Machine-readable event list └── mitre-mapping.yaml # ATT&CK technique annotations (if --mitre) ``` ### Sample Output ``` Building Timeline ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Sources discovered: auth.log (72h, 14,832 entries) journal (72h, 187,441 entries) audit.log (72h, 92,318 entries) network captures (triage snapshot) process list (triage snapshot) Timestamps normalized to UTC Clock skew: 0s (synchronized) Events extracted: 1,247 raw -> 312 significant Correlations found: 48 Timeline window: 2026-02-26T22:00:00Z to 2026-02-27T02:15:00Z (4h 15m) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ | Time (UTC) | Sev | Source | Event | |---------------------|----------|----------|----------------------------------------------------| | 2026-02-26 22:14:33 | HIGH | auth.log | 847 failed SSH attempts from 185.220.101.42 | | 2026-02-26 22:29:01 | CRITICAL | auth.log | Successful SSH login for 'deploy' from 185.220.101.42 | | 2026-02-26 22:29:04 | HIGH | journal | Process spawn: /bin/bash (child of sshd PID 3821) | | 2026-02-26 22:31:18 | HIGH | audit | Privilege escalation: sudo -l (deploy -> root) | | 2026-02-26 22:33:45 | CRITICAL | audit | New cron entry: * * * * * /tmp/.update | | 2026-02-26 22:34:01 | CRITICAL | journal | File created: /tmp/.update (executable) | | 2026-02-27 00:00:00 | HIGH | journal | Cron executed: /tmp/.update | | 2026-02-27 00:00:02 | CRITICAL | journal | Outbound connection: 185.220.101.42:4444 | Attack Chain Summary: Initial Access: 22:14Z - SSH brute force (T1110.001) Execution: 22:29Z - Interactive shell via compromised credentials (T1059.004) Persistence: 22:33Z - Cron job installation (T1053.003) C2: 00:00Z - Reverse shell beaconing (T1071.001) Dwell time: 1h 46m (first access to C2 beacon) Patient zero: account 'deploy' Output: .aiwg/forensics/timeline/incident-timeline.md ``` ## References - @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/agents/timeline-builder.md - Timeline Builder - @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/templates/timeline-template.md - Timeline format - @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/commands/forensics-ioc.md - IOC extraction - @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/commands/forensics-report.md - Report generation
Related Skills
supply-chain-forensics
104
from jmagly/aiwg
SBOM analysis, build pipeline forensics, and dependency verification covering package integrity, build reproducibility, and CI/CD pipeline tampering
Codex
project-timeline-simulator
104
from jmagly/aiwg
Simulate project outcomes with variable modeling, risk assessment, and resource optimization scenarios.
Codex
memory-forensics
104
from jmagly/aiwg
Volatility 3 memory forensics workflows covering acquisition with LiME and WinPmem, and structured analysis using Volatility 3 plugin reference
Codex
linux-forensics
104
from jmagly/aiwg
Generalized Linux incident response and forensic analysis covering Debian/Ubuntu, RHEL/CentOS/Rocky, and SUSE families
Codex
forensics-triage
104
from jmagly/aiwg
Quick triage investigation following RFC 3227 volatility order
Codex
forensics-status
104
from jmagly/aiwg
Show investigation status dashboard
Codex
forensics-report
104
from jmagly/aiwg
Generate forensic investigation report
Codex
forensics-profile
104
from jmagly/aiwg
Build target system profile via SSH or cloud API enumeration
Codex
forensics-ioc
104
from jmagly/aiwg
Extract and enrich indicators of compromise
Codex
forensics-investigate
104
from jmagly/aiwg
Full multi-agent investigation workflow
Codex
forensics-hunt
104
from jmagly/aiwg
Threat hunt using Sigma rules against log sources
Codex
forensics-acquire
104
from jmagly/aiwg
Evidence acquisition with chain of custody and hash verification
Codex