/forensics-status

Display the current status of active or recent forensic investigations. Shows phase completion, finding counts by severity, artifact inventory, and pending work. Provides a quick situational awareness dashboard for ongoing incident response.

Usage

/forensics-status [options]

Arguments

| Argument | Required | Description | |----------|----------|-------------| | --investigation | No | Specific investigation ID to show (e.g., INV-2026-02-27-web01) | | --detailed | No | Show detailed breakdown of each phase and artifact | | --all | No | Show all investigations, including completed ones | | --pending-only | No | Show only investigations with incomplete stages | | --format | No | Output format: markdown (default), json | | --path | No | Investigation root path (default: .aiwg/forensics/) |

Behavior

When invoked, this command:

Discover Investigations
- Scan .aiwg/forensics/ for investigation state files
- Load investigation.yaml for each discovered investigation
- Determine active vs. completed vs. stalled investigations
- Sort by recency (most recent first)
Phase Status Assessment
- Check completion status for each workflow stage
- Map output artifacts to expected stage deliverables
- Flag stages with missing or incomplete outputs
- Identify stages that are in-progress vs. not started
Finding Counts
- Count findings by severity: CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL
- Summarize IOC counts by type (IP, domain, hash, etc.)
- Note unreviewed or newly added findings since last status check
- Flag any findings requiring immediate action
Artifact Inventory
- List all collected evidence artifacts
- Note artifacts with pending hash verification
- Identify gaps in evidence (expected artifacts not collected)
- Show total storage used by investigation
Pending Work
- List incomplete stages in priority order
- Identify blocked stages (dependencies not met)
- Surface findings that require follow-up investigation
- List IOCs pending enrichment or validation
Timeline Status
- Note earliest and latest events in investigation window
- Show attacker dwell time if timeline is complete
- Flag time gaps in log coverage
Render Dashboard
- Display formatted status view
- Use visual progress indicators for stage completion
- Highlight CRITICAL findings prominently
- Provide next-step command suggestions

Examples

Example 1: Current investigation status

/forensics-status

Example 2: Detailed breakdown

/forensics-status --detailed

Example 3: Specific investigation

/forensics-status --investigation INV-2026-02-27-web01

Example 4: All investigations including completed

/forensics-status --all

Example 5: JSON export for tooling

/forensics-status --format json

Output

Status is displayed to console. Optional JSON export to .aiwg/forensics/reports/status.json.

Sample Output (standard)

Investigation Status Dashboard
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Active Investigations: 1
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

INV-2026-02-27-web01 | ACTIVE | Confirmed Breach | web01.internal
────────────────────────────────────────────────────────────────

Phases:
  Reconnaissance   [COMPLETE]  system-profile.md
  Triage           [COMPLETE]  triage-summary.md   Threat: 87/100 CRITICAL
  Acquisition      [COMPLETE]  14 artifacts (140.6 MB)
  Analysis         [COMPLETE]  16 findings
  Timeline         [COMPLETE]  incident-timeline.md
  IOC Extraction   [COMPLETE]  12 IOCs
  Report           [PENDING]   not started

Findings:
  CRITICAL:  2   HIGH: 5   MEDIUM: 6   LOW: 3   INFO: 0
  Total: 16 findings across 5 analysis domains

IOCs:
  IP addresses: 2 (1 known malicious)
  Domains:      1 (1 known C2)
  File hashes:  1
  File paths:   3
  Accounts:     2

Evidence:
  Artifacts collected: 14
  Storage: 140.6 MB
  Integrity: 14/14 verified

Investigation Window:
  Start: 2026-02-26T22:14:33Z (first attacker activity)
  End:   2026-02-27T02:15:00Z (last seen)
  Dwell: 4h 0m 27s

Pending Work:
  1. /forensics-report .aiwg/forensics/ --format full
     Generate final investigation report

  2. Validate: 3 IOCs pending enrichment
     /forensics-ioc .aiwg/forensics/ --enrich

────────────────────────────────────────────────────────────────
Last updated: 2026-02-27T15:02:10Z

Sample Output (detailed)

Investigation Status Dashboard (Detailed)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

INV-2026-02-27-web01
  Target:       192.168.1.50 (web01.internal)
  Started:      2026-02-27T14:30:00Z
  Duration:     31m 44s (analysis), report pending
  Investigator: analyst
  Scope:        full

Phase Detail:
─────────────────────────────────────────────────────────────────

Reconnaissance [COMPLETE, 14:31:42Z, 102s]
  Artifacts:
    system-profile.md (web01-2026-02-27) - 8.4 KB
    system-profile.json                  - 12.1 KB

Triage [COMPLETE, 14:34:15Z, 153s]
  Threat Score: 87/100 (CRITICAL)
  Red Flags:    5 (2 CRITICAL, 2 HIGH, 1 MEDIUM)
  Artifacts:
    triage-summary.md       - 14.2 KB
    volatile/process-list   - 42.1 KB
    volatile/network-conn.  - 8.3 KB

Acquisition [COMPLETE, 14:39:02Z, 287s]
  Evidence collected: 14 artifacts
  Total size: 140.6 MB
  Integrity: 14/14 VERIFIED
  Artifacts:
    auth.log (4.2 MB)        SHA256 VERIFIED
    syslog (12.8 MB)         SHA256 VERIFIED
    journal (87.3 MB)        SHA256 VERIFIED
    [11 more artifacts...]

Analysis [COMPLETE, 14:55:09Z, 967s]
  Log Analyst:         8 findings (1 CRITICAL, 3 HIGH, 3 MEDIUM, 1 LOW)
  Persistence Hunter:  3 findings (1 CRITICAL, 2 HIGH)
  Network Analyst:     5 findings (2 HIGH, 2 MEDIUM, 1 LOW)
  Container Analyst:   skipped (no containers detected)
  Memory Analyst:      skipped (no memory image)

Timeline [COMPLETE, 14:57:33Z, 144s]
  Events: 312 significant (from 1,247 raw)
  Attack phases: Initial Access -> Execution -> Persistence -> C2
  Patient zero: account 'deploy'
  Dwell time: 4h 0m 27s

IOC Extraction [COMPLETE, 14:59:01Z, 88s]
  IOCs extracted: 12
  Enriched: 4 (3 pending)
  Actionable (block): 3 IPs, 1 domain
  For scanning: 1 file hash

Report [PENDING]
  Run: /forensics-report .aiwg/forensics/ --format full

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Recommended Next Action:
  /forensics-report .aiwg/forensics/ --format full

References

@$AIWG_ROOT/agentic/code/frameworks/forensics-complete/agents/forensics-orchestrator.md - Orchestrator
@$AIWG_ROOT/agentic/code/frameworks/forensics-complete/commands/forensics-investigate.md - Full workflow
@$AIWG_ROOT/agentic/code/frameworks/forensics-complete/commands/forensics-report.md - Report generation

/forensics-status

Usage

/forensics-status [options]

Arguments

Behavior

When invoked, this command:

Discover Investigations
- Scan .aiwg/forensics/ for investigation state files
- Load investigation.yaml for each discovered investigation
- Determine active vs. completed vs. stalled investigations
- Sort by recency (most recent first)
Phase Status Assessment
- Check completion status for each workflow stage
- Map output artifacts to expected stage deliverables
- Flag stages with missing or incomplete outputs
- Identify stages that are in-progress vs. not started
Finding Counts
- Count findings by severity: CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL
- Summarize IOC counts by type (IP, domain, hash, etc.)
- Note unreviewed or newly added findings since last status check
- Flag any findings requiring immediate action
Artifact Inventory
- List all collected evidence artifacts
- Note artifacts with pending hash verification
- Identify gaps in evidence (expected artifacts not collected)
- Show total storage used by investigation
Pending Work
- List incomplete stages in priority order
- Identify blocked stages (dependencies not met)
- Surface findings that require follow-up investigation
- List IOCs pending enrichment or validation
Timeline Status
- Note earliest and latest events in investigation window
- Show attacker dwell time if timeline is complete
- Flag time gaps in log coverage
Render Dashboard
- Display formatted status view
- Use visual progress indicators for stage completion
- Highlight CRITICAL findings prominently
- Provide next-step command suggestions

Examples

Example 1: Current investigation status

/forensics-status

Example 2: Detailed breakdown

/forensics-status --detailed

Example 3: Specific investigation

/forensics-status --investigation INV-2026-02-27-web01

Example 4: All investigations including completed

/forensics-status --all

Example 5: JSON export for tooling

/forensics-status --format json

Output

Status is displayed to console. Optional JSON export to .aiwg/forensics/reports/status.json.

Sample Output (standard)

Investigation Status Dashboard
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Active Investigations: 1
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

INV-2026-02-27-web01 | ACTIVE | Confirmed Breach | web01.internal
────────────────────────────────────────────────────────────────

Phases:
  Reconnaissance   [COMPLETE]  system-profile.md
  Triage           [COMPLETE]  triage-summary.md   Threat: 87/100 CRITICAL
  Acquisition      [COMPLETE]  14 artifacts (140.6 MB)
  Analysis         [COMPLETE]  16 findings
  Timeline         [COMPLETE]  incident-timeline.md
  IOC Extraction   [COMPLETE]  12 IOCs
  Report           [PENDING]   not started

Findings:
  CRITICAL:  2   HIGH: 5   MEDIUM: 6   LOW: 3   INFO: 0
  Total: 16 findings across 5 analysis domains

IOCs:
  IP addresses: 2 (1 known malicious)
  Domains:      1 (1 known C2)
  File hashes:  1
  File paths:   3
  Accounts:     2

Evidence:
  Artifacts collected: 14
  Storage: 140.6 MB
  Integrity: 14/14 verified

Investigation Window:
  Start: 2026-02-26T22:14:33Z (first attacker activity)
  End:   2026-02-27T02:15:00Z (last seen)
  Dwell: 4h 0m 27s

Pending Work:
  1. /forensics-report .aiwg/forensics/ --format full
     Generate final investigation report

  2. Validate: 3 IOCs pending enrichment
     /forensics-ioc .aiwg/forensics/ --enrich

────────────────────────────────────────────────────────────────
Last updated: 2026-02-27T15:02:10Z

Sample Output (detailed)

Investigation Status Dashboard (Detailed)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

INV-2026-02-27-web01
  Target:       192.168.1.50 (web01.internal)
  Started:      2026-02-27T14:30:00Z
  Duration:     31m 44s (analysis), report pending
  Investigator: analyst
  Scope:        full

Phase Detail:
─────────────────────────────────────────────────────────────────

Reconnaissance [COMPLETE, 14:31:42Z, 102s]
  Artifacts:
    system-profile.md (web01-2026-02-27) - 8.4 KB
    system-profile.json                  - 12.1 KB

Triage [COMPLETE, 14:34:15Z, 153s]
  Threat Score: 87/100 (CRITICAL)
  Red Flags:    5 (2 CRITICAL, 2 HIGH, 1 MEDIUM)
  Artifacts:
    triage-summary.md       - 14.2 KB
    volatile/process-list   - 42.1 KB
    volatile/network-conn.  - 8.3 KB

Acquisition [COMPLETE, 14:39:02Z, 287s]
  Evidence collected: 14 artifacts
  Total size: 140.6 MB
  Integrity: 14/14 VERIFIED
  Artifacts:
    auth.log (4.2 MB)        SHA256 VERIFIED
    syslog (12.8 MB)         SHA256 VERIFIED
    journal (87.3 MB)        SHA256 VERIFIED
    [11 more artifacts...]

Analysis [COMPLETE, 14:55:09Z, 967s]
  Log Analyst:         8 findings (1 CRITICAL, 3 HIGH, 3 MEDIUM, 1 LOW)
  Persistence Hunter:  3 findings (1 CRITICAL, 2 HIGH)
  Network Analyst:     5 findings (2 HIGH, 2 MEDIUM, 1 LOW)
  Container Analyst:   skipped (no containers detected)
  Memory Analyst:      skipped (no memory image)

Timeline [COMPLETE, 14:57:33Z, 144s]
  Events: 312 significant (from 1,247 raw)
  Attack phases: Initial Access -> Execution -> Persistence -> C2
  Patient zero: account 'deploy'
  Dwell time: 4h 0m 27s

IOC Extraction [COMPLETE, 14:59:01Z, 88s]
  IOCs extracted: 12
  Enriched: 4 (3 pending)
  Actionable (block): 3 IPs, 1 domain
  For scanning: 1 file hash

Report [PENDING]
  Run: /forensics-report .aiwg/forensics/ --format full

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Recommended Next Action:
  /forensics-report .aiwg/forensics/ --format full

References

@$AIWG_ROOT/agentic/code/frameworks/forensics-complete/agents/forensics-orchestrator.md - Orchestrator
@$AIWG_ROOT/agentic/code/frameworks/forensics-complete/commands/forensics-investigate.md - Full workflow
@$AIWG_ROOT/agentic/code/frameworks/forensics-complete/commands/forensics-report.md - Report generation

Adoption

jmagly/forensics-status

$ install --global

Security Scan Results

SKILL.md

/forensics-status

Usage

Arguments

Behavior

Examples

Example 1: Current investigation status

Example 2: Detailed breakdown

Example 3: Specific investigation

Example 4: All investigations including completed

Example 5: JSON export for tooling

Output

Sample Output (standard)

Sample Output (detailed)

References

Related Skills

jmagly/radar-status

jmagly/radar-report

jmagly/radar-init

jmagly/profile-temporal

jmagly/forensics-status

$ install --global

Security Scan Results

SKILL.md

/forensics-status

Usage

Arguments

Behavior

Examples

Example 1: Current investigation status

Example 2: Detailed breakdown

Example 3: Specific investigation

Example 4: All investigations including completed

Example 5: JSON export for tooling

Output

Sample Output (standard)

Sample Output (detailed)

References

Related Skills

jmagly/radar-status

jmagly/radar-report

jmagly/radar-init

jmagly/profile-temporal