aiwg/plugins/forensics/agents/manifest.json

Deployment tool and support utility for AI context. Copies agents, skills, commands, rules, and behaviors into the paths each AI platform reads (Claude Code, Codex, Copilot, Cursor, Warp, OpenClaw, and 6 more) so one source of truth works across 10 platfo

{
  "framework": "forensics-complete",
  "version": "1.0.0",
  "description": "Complete digital forensics and incident response framework with 13 specialized agents",
  "agents": [
    {
      "id": "forensics-recon-agent",
      "name": "Recon Agent",
      "file": "recon-agent.md",
      "description": "Target reconnaissance and system profiling",
      "stage": "reconnaissance",
      "capabilities": ["system_discovery", "service_enumeration", "user_inventory", "network_baseline", "security_assessment"],
      "tools": ["Bash", "Read", "Write", "Glob", "Grep"],
      "model": "sonnet"
    },
    {
      "id": "forensics-triage-agent",
      "name": "Triage Agent",
      "file": "triage-agent.md",
      "description": "Quick triage and volatile data capture following RFC 3227",
      "stage": "triage",
      "capabilities": ["volatile_capture", "red_flag_detection", "quick_assessment", "network_snapshot", "process_inventory"],
      "tools": ["Bash", "Read", "Write", "Glob", "Grep"],
      "model": "sonnet"
    },
    {
      "id": "forensics-forensic-acquisition-agent",
      "name": "Forensic Acquisition Agent",
      "file": "forensic-acquisition-agent.md",
      "description": "Evidence collection with chain of custody and hash verification",
      "stage": "acquisition",
      "capabilities": ["evidence_collection", "hash_verification", "chain_of_custody", "log_preservation", "forensic_imaging"],
      "tools": ["Bash", "Read", "Write", "Glob", "Grep"],
      "model": "sonnet"
    },
    {
      "id": "forensics-log-analyst",
      "name": "Log Analyst",
      "file": "log-analyst.md",
      "description": "Authentication, system, and application log analysis",
      "stage": "analysis",
      "capabilities": ["auth_log_analysis", "syslog_analysis", "journal_analysis", "brute_force_detection", "privilege_escalation_detection"],
      "tools": ["Bash", "Read", "Write", "Glob", "Grep"],
      "model": "sonnet"
    },
    {
      "id": "forensics-persistence-hunter",
      "name": "Persistence Hunter",
      "file": "persistence-hunter.md",
      "description": "Cron, systemd, authorized_keys, rootkit, and kernel module persistence detection",
      "stage": "analysis",
      "capabilities": ["cron_detection", "systemd_persistence", "ssh_key_audit", "rootkit_detection", "kernel_module_analysis", "pam_tampering"],
      "tools": ["Bash", "Read", "Write", "Glob", "Grep"],
      "model": "sonnet"
    },
    {
      "id": "forensics-container-analyst",
      "name": "Container Analyst",
      "file": "container-analyst.md",
      "description": "Docker and Kubernetes forensics and container escape detection",
      "stage": "analysis",
      "capabilities": ["container_inventory", "privilege_escalation", "image_integrity", "volume_analysis", "container_network"],
      "tools": ["Bash", "Read", "Write", "Glob", "Grep"],
      "model": "sonnet"
    },
    {
      "id": "forensics-network-analyst",
      "name": "Network Analyst",
      "file": "network-analyst.md",
      "description": "Traffic analysis, C2 detection, and lateral movement identification",
      "stage": "analysis",
      "capabilities": ["connection_analysis", "dns_analysis", "beaconing_detection", "lateral_movement", "c2_detection"],
      "tools": ["Bash", "Read", "Write", "Glob", "Grep"],
      "model": "sonnet"
    },
    {
      "id": "forensics-memory-analyst",
      "name": "Memory Analyst",
      "file": "memory-analyst.md",
      "description": "Volatility 3 memory forensics for process, network, and rootkit analysis",
      "stage": "analysis",
      "capabilities": ["memory_acquisition", "process_analysis", "rootkit_detection", "injected_code", "credential_extraction"],
      "tools": ["Bash", "Read", "Write", "Glob", "Grep"],
      "model": "opus"
    },
    {
      "id": "forensics-cloud-analyst",
      "name": "Cloud Analyst",
      "file": "cloud-analyst.md",
      "description": "AWS, Azure, and GCP forensic artifact collection and analysis",
      "stage": "analysis",
      "capabilities": ["cloudtrail_analysis", "iam_review", "flow_log_analysis", "api_anomaly_detection", "resource_inventory"],
      "tools": ["Bash", "Read", "Write", "Glob", "Grep", "WebFetch"],
      "model": "sonnet"
    },
    {
      "id": "forensics-timeline-builder",
      "name": "Timeline Builder",
      "file": "timeline-builder.md",
      "description": "Multi-source event correlation and attack chain reconstruction",
      "stage": "timeline",
      "capabilities": ["event_correlation", "timestamp_normalization", "attack_chain", "patient_zero", "timeline_visualization"],
      "tools": ["Bash", "Read", "Write", "Glob", "Grep"],
      "model": "opus"
    },
    {
      "id": "forensics-ioc-analyst",
      "name": "IOC Analyst",
      "file": "ioc-analyst.md",
      "description": "IOC extraction, enrichment, and STIX 2.1 observable mapping",
      "stage": "analysis",
      "capabilities": ["ioc_extraction", "threat_enrichment", "stix_mapping", "detection_rules", "misp_integration"],
      "tools": ["Bash", "Read", "Write", "Glob", "Grep", "WebFetch"],
      "model": "sonnet"
    },
    {
      "id": "forensics-reporting-agent",
      "name": "Reporting Agent",
      "file": "reporting-agent.md",
      "description": "Forensic report generation with executive summary and remediation plan",
      "stage": "reporting",
      "capabilities": ["finding_compilation", "severity_classification", "executive_summary", "remediation_planning", "evidence_documentation"],
      "tools": ["Read", "Write", "Glob", "Grep"],
      "model": "sonnet"
    },
    {
      "id": "forensics-orchestrator",
      "name": "Forensics Orchestrator",
      "file": "forensics-orchestrator.md",
      "description": "Multi-agent investigation workflow coordination",
      "stage": "orchestration",
      "capabilities": ["workflow_coordination", "agent_delegation", "artifact_handoff", "quality_gates", "status_tracking"],
      "tools": ["Bash", "Read", "Write", "Glob", "Grep", "Task"],
      "model": "opus"
    }
  ],
  "workflow_stages": [
    {
      "stage": "reconnaissance",
      "agents": ["forensics-recon-agent"],
      "description": "Profile target system, discover services, establish baseline"
    },
    {
      "stage": "triage",
      "agents": ["forensics-triage-agent"],
      "description": "Capture volatile data, detect active threats, quick assessment"
    },
    {
      "stage": "acquisition",
      "agents": ["forensics-forensic-acquisition-agent"],
      "description": "Collect and preserve evidence with chain of custody"
    },
    {
      "stage": "analysis",
      "agents": ["forensics-log-analyst", "forensics-persistence-hunter", "forensics-container-analyst", "forensics-network-analyst", "forensics-memory-analyst", "forensics-cloud-analyst", "forensics-ioc-analyst"],
      "description": "Deep-dive analysis across multiple domains"
    },
    {
      "stage": "timeline",
      "agents": ["forensics-timeline-builder"],
      "description": "Correlate events across sources, reconstruct attack chain"
    },
    {
      "stage": "reporting",
      "agents": ["forensics-reporting-agent"],
      "description": "Compile findings into forensic report with remediation plan"
    },
    {
      "stage": "orchestration",
      "agents": ["forensics-orchestrator"],
      "description": "Coordinate multi-agent investigation workflow"
    }
  ],
  "metadata": {
    "created": "2026-02-27",
    "last_updated": "2026-02-27",
    "version": "1.0.0",
    "total_agents": 13,
    "status": "active"
  }
}