Digital forensics and incident response (DFIR) framework with target profiling, evidence acquisition, multi-source analysis, timeline reconstruction, and forensic reporting.
This framework provides AI-assisted investigation workflows that produce customizable investigation plans rather than host-specific scripts. It starts by researching the target system to build a parameterized profile, then guides structured forensic analysis through the full DFIR lifecycle.
Standards: NIST SP 800-86, MITRE ATT&CK, Sigma Rules, OCSF, STIX 2.1, RFC 3227
# Deploy the framework
aiwg use forensics
# Profile a target system
/forensics-profile ssh://user@host:port
# Quick triage (volatile data first)
/forensics-triage ssh://user@host:port
# Full investigation
/forensics-investigate ssh://user@host:port --scope full
# Build event timeline
/forensics-timeline .aiwg/forensics/findings/target-2026-02-27/
# Generate forensic report
/forensics-report .aiwg/forensics/ --format fullreconnaissance --> triage --> acquisition --> analysis --> timeline --> reporting
| | | | | |
profile volatile preserve deep dive correlate document
target capture evidence per-phase events findings
| Stage | Agent | Output |
|---|---|---|
| Reconnaissance | recon-agent | target-profile.md |
| Triage | triage-agent | triage-findings.md |
| Acquisition | forensic-acquisition-agent | evidence-manifest.yaml + collected data |
| Analysis | log/persistence/container/network/memory/cloud analysts | phase-N-findings.md |
| Timeline | timeline-builder | incident-timeline.md |
| IOC Extraction | ioc-analyst | ioc-register.md |
| Reporting | reporting-agent | forensic-report.md + remediation-plan.md |
| Agent | Stage | Description |
|---|---|---|
| recon-agent | Reconnaissance | Target system profiling and baseline discovery |
| triage-agent | Triage | RFC 3227 volatile data capture and red flag detection |
| forensic-acquisition-agent | Acquisition | Evidence collection with chain of custody |
| log-analyst | Analysis | Auth, system, and application log analysis |
| persistence-hunter | Analysis | Cron, systemd, SSH keys, rootkit, kernel module detection |
| container-analyst | Analysis | Docker and Kubernetes forensics |
| network-analyst | Analysis | Traffic analysis, C2 detection, lateral movement |
| memory-analyst | Analysis | Volatility 3 memory forensics |
| cloud-analyst | Analysis | AWS, Azure, GCP forensic artifact collection |
| timeline-builder | Timeline | Multi-source event correlation |
| ioc-analyst | Analysis | IOC extraction and STIX 2.1 mapping |
| reporting-agent | Reporting | Forensic report generation |
| forensics-orchestrator | Orchestration | Multi-agent workflow coordination |
| Command | Description |
|---|---|
/forensics-profile |
Build target system profile |
/forensics-triage |
Quick triage investigation |
/forensics-investigate |
Full multi-agent investigation |
/forensics-acquire |
Evidence acquisition and preservation |
/forensics-timeline |
Build correlated event timeline |
/forensics-hunt |
Threat hunt with Sigma rules |
/forensics-ioc |
IOC extraction and enrichment |
/forensics-report |
Generate forensic report |
/forensics-status |
Investigation status dashboard |
| Skill | Description |
|---|---|
| target-profiling | Research and build target system profile |
| linux-forensics | Generalized Linux investigation (Debian, RHEL, SUSE) |
| container-forensics | Docker and Kubernetes investigation |
| cloud-forensics | AWS, Azure, GCP investigation |
| memory-forensics | Volatility 3 memory analysis workflows |
| log-analysis | Multi-source log correlation |
| ioc-extraction | IOC identification and enrichment |
| sigma-hunting | Sigma rule-based threat hunting |
| evidence-preservation | Chain of custody procedures |
| supply-chain-forensics | SBOM analysis and build pipeline forensics |
All artifacts are stored in .aiwg/forensics/:
.aiwg/forensics/
├── profiles/ # Target system profiles
├── plans/ # Investigation plans (generated per-target)
├── triage/ # RFC 3227 quick captures and triage summaries
├── evidence/ # Evidence manifests and custody logs
├── findings/ # Per-phase findings organized by target and date
├── timelines/ # Correlated event timelines
├── iocs/ # IOC registers
├── reports/ # Final forensic reports
├── sigma/ # Custom Sigma rules generated during investigation
└── chain-of-custody.md # Master custody log
For cross-framework routing between preventive security, production incident management, and evidence-bearing DFIR, see docs/integrations/dfir-handoff.md.
Detection rules in standard Sigma format, portable to any SIEM backend:
| Rule | Category | Level |
|---|---|---|
| ssh-brute-force-success | Linux | High |
| unauthorized-suid | Linux | High |
| ld-preload-rootkit | Linux | Critical |
| deleted-binary-running | Linux | Critical |
| privileged-container | Docker | High |
| container-escape | Docker | Critical |
| aws-iam-escalation | Cloud | High |
| unusual-api-region | Cloud | Medium |
| Rule | Level | Description |
|---|---|---|
| evidence-integrity | CRITICAL | SHA-256 hashing and chain of custody |
| volatility-order | HIGH | RFC 3227 collection ordering |
| red-flag-escalation | CRITICAL | 8 immediate escalation triggers |
| non-destructive | CRITICAL | Never modify evidence sources |
-
Target Profiling First - The framework starts by researching the target system to build a parameterized investigation plan, replacing hardcoded host profiles.
-
Investigation Plans as Artifacts - Generated per-target with target-specific commands, baselines, and red flags.
-
Sigma Rules for Detection - Portable detection logic that translates to any SIEM backend.
-
OCSF + STIX 2.1 Alignment - Schemas align with industry standards for interoperability.
-
AI + Traditional Dual-Path - Every phase documents both AI-assisted and traditional approaches.
-
Evidence Integrity as a Rule - Chain of custody and SHA-256 hashing are enforced, not optional.
| Document | Description |
|---|---|
docs/methodology.md |
NIST 800-86 and SANS PICERL methodology |
docs/attack-mapping.md |
ATT&CK technique-to-artifact guide |
docs/tool-reference.md |
Forensics tool inventory |
docs/ai-assisted-forensics.md |
LLM integration patterns for DFIR |
docs/research-guide.md |
Pre-investigation target research |