Embed badge
Show
Style
[](https://versuz.dev/skills/jmagly-aiwg-plugins-forensics-skills-forensics-profile)Free SKILL.md scraped from GitHub. Clone the repo or copy the file directly into your Claude Code skills directory.
npx versuz@latest install jmagly-aiwg-plugins-forensics-skills-forensics-profilegit clone https://github.com/jmagly/aiwg.gitcp aiwg/SKILL.MD ~/.claude/skills/jmagly-aiwg-plugins-forensics-skills-forensics-profile/SKILL.md--- namespace: aiwg name: forensics-profile platforms: [all] description: Build target system profile via SSH or cloud API enumeration commandHint: argumentHint: "<target> [--output path] [--deep] [--cloud aws|azure|gcp]" category: forensics-reconnaissance --- # /forensics-profile Build a comprehensive system profile of the target by enumerating OS details, running services, user accounts, installed packages, network configuration, and security controls. The profile establishes a baseline for subsequent investigation stages. ## Usage `/forensics-profile <target> [options]` ## Arguments | Argument | Required | Description | |----------|----------|-------------| | target | Yes | SSH connection string (`ssh://user@host:port`) or cloud target (`aws://account-id/region`) | | --output | No | Custom output directory (default: `.aiwg/forensics/profiles/<hostname>-<date>/`) | | --deep | No | Perform deep enumeration including package inventory and kernel config | | --cloud | No | Cloud provider context: `aws`, `azure`, or `gcp` | | --no-network | No | Skip network enumeration (faster, less intrusive) | | --format | No | Output format: `markdown` (default) or `json` | ## Behavior When invoked, this command: 1. **Parse Target** - Resolve hostname or IP from connection string - Verify SSH connectivity or cloud API access - Detect operating system family (Linux distro, version, kernel) - Record target identifier for artifact naming 2. **System Enumeration** - Collect OS version, kernel version, architecture - Enumerate running processes and services - List installed packages and versions - Check uptime and last reboot time - Identify virtualization or container environment 3. **User and Account Inventory** - Enumerate local user accounts from `/etc/passwd` - Identify privileged users (UID 0, sudo group members) - Check for recently created or modified accounts - Review `/etc/sudoers` and sudoers.d entries - List active login sessions and recent auth history 4. **Network Baseline** - Capture listening ports and bound services - Document active network connections - Record network interfaces and IP assignments - Identify firewall rules (iptables, nftables, ufw) - Note DNS resolver configuration 5. **Security Control Assessment** - Check for security tools (auditd, fail2ban, SELinux, AppArmor) - Review SSH daemon configuration - Identify logging configuration and log rotation - Note enabled/disabled security features 6. **Save Profile Artifact** - Write `system-profile.md` with structured findings - Write `system-profile.json` for machine processing - Generate SHA-256 hash of profile files - Log acquisition metadata and timestamps ## Examples ### Example 1: Basic SSH profile ```bash /forensics-profile ssh://admin@192.168.1.50:22 ``` ### Example 2: Deep profile with custom output ```bash /forensics-profile ssh://root@10.0.0.5 --deep --output .aiwg/forensics/profiles/web-server/ ``` ### Example 3: Cloud target ```bash /forensics-profile aws://123456789012/us-east-1 --cloud aws ``` ### Example 4: JSON output for pipeline use ```bash /forensics-profile ssh://analyst@host --format json ``` ## Output Artifacts are saved to `.aiwg/forensics/profiles/<hostname>-<date>/`: ``` .aiwg/forensics/profiles/web01-2026-02-27/ ├── system-profile.md # Human-readable profile ├── system-profile.json # Machine-readable profile ├── acquisition-log.yaml # Timing and metadata └── checksums.sha256 # Integrity hashes ``` ### Sample Output ``` Profiling Target: 192.168.1.50 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Step 1: Connecting to target Connected via SSH (admin@192.168.1.50:22) OS detected: Ubuntu 22.04.3 LTS (kernel 5.15.0-91) Step 2: System enumeration Hostname: web01.internal Uptime: 47 days, 3 hours Architecture: x86_64 Running services: 23 active units Installed packages: 412 Step 3: User inventory Total accounts: 28 (4 with shell access) Privileged users: root, deploy Sudo group members: admin, deploy Active sessions: 2 Step 4: Network baseline Interfaces: eth0 (10.0.1.50/24), lo Listening ports: 22 (sshd), 80 (nginx), 443 (nginx), 3306 (mysqld) Active connections: 14 established Firewall: ufw active (12 rules) Step 5: Security controls auditd: active fail2ban: active (3 jails) AppArmor: enforcing (18 profiles) SSH: password auth disabled, key-only ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Profile complete. Output: .aiwg/forensics/profiles/web01-2026-02-27/ Next Steps: /forensics-triage ssh://admin@192.168.1.50 - Capture volatile data /forensics-investigate ssh://admin@192.168.1.50 --scope full ``` ## References - @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/agents/recon-agent.md - Recon Agent - @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/templates/system-profile.md - Profile template - @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/commands/forensics-triage.md - Next stage