Skip to main content
AI/MLjmagly

forensics-profile

Build target system profile via SSH or cloud API enumeration

Stars
141
Source
jmagly/aiwg
Updated
2026-05-31
Slug
jmagly--aiwg--forensics-profile
View on GitHubRaw SKILL.md

// install — copy + paste into any project

mkdir -p .claude/skills && curl -fsSL https://raw.githubusercontent.com/jmagly/aiwg/HEAD/agentic/code/frameworks/forensics-complete/skills/forensics-profile/SKILL.md -o .claude/skills/forensics-profile.md

Drops the SKILL.md into .claude/skills/forensics-profile.md. Works with Claude Code, Cursor, and any agent that loads SKILL.md files from .claude/skills/.

/forensics-profile

Build a comprehensive system profile of the target by enumerating OS details, running services, user accounts, installed packages, network configuration, and security controls. The profile establishes a baseline for subsequent investigation stages.

Usage

/forensics-profile <target> [options]

Arguments

Argument Required Description
target Yes SSH connection string (ssh://user@host:port) or cloud target (aws://account-id/region)
--output No Custom output directory (default: .aiwg/forensics/profiles/<hostname>-<date>/)
--deep No Perform deep enumeration including package inventory and kernel config
--cloud No Cloud provider context: aws, azure, or gcp
--no-network No Skip network enumeration (faster, less intrusive)
--format No Output format: markdown (default) or json

Behavior

When invoked, this command:

  1. Parse Target

    • Resolve hostname or IP from connection string
    • Verify SSH connectivity or cloud API access
    • Detect operating system family (Linux distro, version, kernel)
    • Record target identifier for artifact naming

  2. System Enumeration

    • Collect OS version, kernel version, architecture
    • Enumerate running processes and services
    • List installed packages and versions
    • Check uptime and last reboot time
    • Identify virtualization or container environment

  3. User and Account Inventory

    • Enumerate local user accounts from /etc/passwd
    • Identify privileged users (UID 0, sudo group members)
    • Check for recently created or modified accounts
    • Review /etc/sudoers and sudoers.d entries
    • List active login sessions and recent auth history

  4. Network Baseline

    • Capture listening ports and bound services
    • Document active network connections
    • Record network interfaces and IP assignments
    • Identify firewall rules (iptables, nftables, ufw)
    • Note DNS resolver configuration

  5. Security Control Assessment

    • Check for security tools (auditd, fail2ban, SELinux, AppArmor)
    • Review SSH daemon configuration
    • Identify logging configuration and log rotation
    • Note enabled/disabled security features

  6. Save Profile Artifact

    • Write system-profile.md with structured findings
    • Write system-profile.json for machine processing
    • Generate SHA-256 hash of profile files
    • Log acquisition metadata and timestamps

Examples

Example 1: Basic SSH profile

/forensics-profile ssh://admin@192.168.1.50:22

Example 2: Deep profile with custom output

/forensics-profile ssh://root@10.0.0.5 --deep --output .aiwg/forensics/profiles/web-server/

Example 3: Cloud target

/forensics-profile aws://123456789012/us-east-1 --cloud aws

Example 4: JSON output for pipeline use

/forensics-profile ssh://analyst@host --format json

Output

Artifacts are saved to .aiwg/forensics/profiles/<hostname>-<date>/:

.aiwg/forensics/profiles/web01-2026-02-27/
├── system-profile.md         # Human-readable profile
├── system-profile.json       # Machine-readable profile
├── acquisition-log.yaml      # Timing and metadata
└── checksums.sha256          # Integrity hashes

Sample Output

Profiling Target: 192.168.1.50
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Step 1: Connecting to target
  Connected via SSH (admin@192.168.1.50:22)
  OS detected: Ubuntu 22.04.3 LTS (kernel 5.15.0-91)

Step 2: System enumeration
  Hostname: web01.internal
  Uptime: 47 days, 3 hours
  Architecture: x86_64
  Running services: 23 active units
  Installed packages: 412

Step 3: User inventory
  Total accounts: 28 (4 with shell access)
  Privileged users: root, deploy
  Sudo group members: admin, deploy
  Active sessions: 2

Step 4: Network baseline
  Interfaces: eth0 (10.0.1.50/24), lo
  Listening ports: 22 (sshd), 80 (nginx), 443 (nginx), 3306 (mysqld)
  Active connections: 14 established
  Firewall: ufw active (12 rules)

Step 5: Security controls
  auditd: active
  fail2ban: active (3 jails)
  AppArmor: enforcing (18 profiles)
  SSH: password auth disabled, key-only

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Profile complete.

Output: .aiwg/forensics/profiles/web01-2026-02-27/
Next Steps:
  /forensics-triage ssh://admin@192.168.1.50    - Capture volatile data
  /forensics-investigate ssh://admin@192.168.1.50 --scope full

References

  • @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/agents/recon-agent.md - Recon Agent
  • @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/templates/system-profile.md - Profile template
  • @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/commands/forensics-triage.md - Next stage