{
  "id": "forensics-complete",
  "type": "framework",
  "name": "Forensics Complete",
  "version": "1.0.0",
  "description": "Digital forensics and incident response framework with target profiling, evidence acquisition, multi-source analysis, timeline reconstruction, and forensic reporting.",
  "modeAliases": [
    "forensics",
    "dfir"
  ],
  "entry": {
    "agents": "agents",
    "skills": "skills",
    "templates": "templates",
    "rules": "rules"
  },
  "workspace": {
    "subdirs": [
      "profiles",
      "plans",
      "evidence",
      "findings",
      "timelines",
      "iocs",
      "reports",
      "sigma"
    ]
  },
  "standards": [
    "NIST SP 800-86",
    "MITRE ATT&CK",
    "Sigma Rules",
    "OCSF",
    "STIX 2.1",
    "RFC 3227"
  ],
  "metadata": {
    "created": "2026-02-27",
    "last_updated": "2026-02-27",
    "total_agents": 13,
    "total_commands": 0,
    "total_skills": 20,
    "total_rules": 4,
    "status": "active"
  },
  "memory": {
    "creates": [
      { "path": ".aiwg/forensics/",            "description": "Forensics root directory" },
      { "path": ".aiwg/forensics/profiles/",   "description": "Target profiles" },
      { "path": ".aiwg/forensics/plans/",      "description": "Investigation plans" },
      { "path": ".aiwg/forensics/evidence/",   "description": "Acquired evidence and images" },
      { "path": ".aiwg/forensics/findings/",   "description": "Analysis findings" },
      { "path": ".aiwg/forensics/timelines/",  "description": "Event timelines" },
      { "path": ".aiwg/forensics/iocs/",       "description": "Indicators of compromise" },
      { "path": ".aiwg/forensics/reports/",    "description": "Forensic reports" },
      { "path": ".aiwg/forensics/sigma/",      "description": "Sigma detection rules" }
    ],
    "topology": {
      "namespace": ".aiwg/forensics",
      "rawSources": ".aiwg/forensics/evidence",
      "derivedPages": {
        "profile": ".aiwg/forensics/profiles",
        "finding": ".aiwg/forensics/findings",
        "timeline": ".aiwg/forensics/timelines",
        "ioc": ".aiwg/forensics/iocs",
        "synthesis": ".aiwg/forensics/reports"
      },
      "index": ".aiwg/forensics/index.md",
      "log": ".aiwg/forensics/.log.jsonl",
      "crossRefStyle": "at-mention",
      "pageTemplate": "templates/forensics-finding.md",
      "ingestRequires": ["provenance"],
      "lintRules": ["link-check", "mention-lint"]
    }
  }
}