Skip to content
This repository was archived by the owner on Feb 27, 2026. It is now read-only.

FORENSIC_DISCIPLINE.md

Latest commit

 

History

History
301 lines (216 loc) · 11 KB

FORENSIC_DISCIPLINE.md

File metadata and controls

301 lines (216 loc) · 11 KB

Forensic Discipline

Mandatory rules for AI-assisted forensic analysis. Evidence speaks first. Theory follows evidence, never the reverse.

Fundamental Principles

  1. Evidence is sovereign - If evidence contradicts your theory, the theory is wrong
  2. Absence of evidence ≠ evidence of absence - Missing logs mean unknown, not "didn't happen"
  3. Correlation ≠ causation - Temporal proximity does not prove relationship
  4. Benign until proven malicious - Most artifacts have innocent explanations

Evidence Classification

Label Meaning Requirement
CONFIRMED Multiple independent artifacts prove this 2+ unrelated evidence sources
INDICATED Evidence suggests this 1 artifact or circumstantial
INFERRED Logical deduction without direct evidence State the reasoning chain
UNKNOWN No evidence either way Do not guess
CONTRADICTED Evidence disputes this Stop and reassess

Confidence Levels

Level Criteria
HIGH Multiple independent artifacts, no contradictions
MEDIUM Single artifact or circumstantial pattern
LOW Inference, behavioral similarity, or incomplete data
SPECULATIVE No direct evidence, pure hypothesis (must label)

Evidence Presentation

The human cannot evaluate what they cannot see. Always show the evidence.

Required Evidence Chain

Every finding must include:

EVIDENCE: [Title]
════════════════════════════════════════════════════════════════════════════════
Source:     [File path of artifact]
Extraction: [Tool and command used]

Raw Data:
───────────────────────────────────────────────────────────────────────────────
[Actual log entry / record / content - NOT a summary]
───────────────────────────────────────────────────────────────────────────────

Observation:    [Fact - what the evidence shows]
Interpretation: [What it might mean - clearly labeled]
Confidence:     [HIGH/MEDIUM/LOW + justification]

→ Human: Review the evidence above. [Specific question for approval]

IOC Presentation

IOC DISCOVERED
════════════════════════════════════════════════════════════════════════════════
IOC Value:  [The actual IOC]
IOC Type:   [IP/Hash/Domain/URL/Path]

Source:     [Artifact file path]
Extraction: [Command used]

Raw Evidence:
───────────────────────────────────────────────────────────────────────────────
[The actual log/record containing the IOC]
───────────────────────────────────────────────────────────────────────────────

Threat Intel:
  Query:      [MCP tool call]
  Result:     [Status, confidence, description]
  Source:     [Intel source]

Observation:    [Fact]
Interpretation: [Assessment - labeled]
Alternatives:   [Other explanations]

→ Human: Review raw evidence and threat intel. Validate before pursuing?
════════════════════════════════════════════════════════════════════════════════

Rule: If you cannot show the evidence, you cannot make the claim.

Anti-Patterns

Pattern Wrong Right
Premature conclusion "This is clearly ransomware" "Encrypted files observed. Checking for ransom note before concluding."
Explaining away "Timestamps don't match but attacker probably manipulated them" "CONTRADICTION: Timestamps conflict. Cannot proceed until resolved."
Assuming capability "Attacker would have covered tracks" "No evidence of log clearing. Noting as gap."
Tunnel vision Investigating only malware theory "Could be: 1) Malware 2) Legit updater 3) Admin tool. Evidence needed to differentiate."
Over-interpreting tools "Chainsaw flagged critical, so definitely malicious" "Chainsaw alert for X. False positive possible. Examining process legitimacy."
IOC without evidence "Found malicious IP indicating C2" [Full IOC block with source, raw evidence, threat intel]

Field Verification Rule

Before interpreting any data field, confirm what it represents.

Misinterpreting a field (e.g., assuming "Time" means filesystem modification when it's actually PE compile timestamp) leads to false conclusions.

Required Steps

  1. Identify the field - What column/attribute are you interpreting?
  2. Verify meaning - Check tool documentation, not assumptions
  3. Cite source - Include documentation reference in findings
  4. Note uncertainty - If meaning unclear after research, state this

Examples

Wrong Right
"Timestamp shows 2010, indicating timestomping" "Time field shows 2010. Per MS Press docs, this is PE linker timestamp (compile time), not filesystem mtime."
"Registry LastWrite proves when malware installed" "Registry LastWrite: 14:32. Note: This updates on ANY modification to the key, not just creation."

When Uncertain

If documentation is unavailable or ambiguous:

  • State what you searched
  • Note the uncertainty in findings
  • Do not interpret the value until clarified

Required Practices

1. State Evidence Gaps

Before any conclusion, list: What we HAVE / What's MISSING / What SHOULD exist if theory is correct.

2. Challenge Your Conclusions

After forming a conclusion, actively try to disprove it. What evidence would contradict it? Have you looked?

3. Trace Reasoning

For non-obvious conclusions: A (observed) → B (inferred because X) → C (concluded because Y)

4. Handle Ambiguity

Multiple valid interpretations? List all. Do NOT pick one without differentiating evidence.

5. Timestamp Discipline

"A at 14:32, B at 14:35" = sequence consistent with causation, does NOT prove causation.

Human-in-the-Loop Requirements

AI assists investigation. Humans direct investigation.

The cost of a wrong assumption cascading into hours of invalid analysis far exceeds the cost of pausing to verify.

Mandatory Human Approval Points

STOP and get human approval before:

Situation Why Ask Format
Pivoting direction Wrong pivot wastes hours "Evidence suggests X. [Show]. Shift focus to Y. Approve?"
Attribution High consequence, circumstantial "Indicators match [actor]. [Show IOCs]. Confidence: X. Confirm?"
Ruling something OUT Premature exclusion hides answers "No evidence of X. [Show search]. Exclude or collect more?"
Scope expansion Prevents runaway investigation "Artifact suggests [area]. [Show]. Expand scope?"
Root cause Foundational for everything "[Show chain]. Points to [cause]. Approve before building on this?"
Timeline All analysis depends on accuracy "[Show timeline]. Validate before correlation?"
IOC-driven pivots Before pursuing leads "[Show IOC block]. Pursue this lead?"

Early Warning Escalation

Raise concerns IMMEDIATELY when:

  • Something doesn't fit → Tell human, show what doesn't fit
  • Evidence weaker than expected → "Expected X, found [Y]. Proceed or collect more?"
  • Making inferences to fill gaps → "No direct evidence. Inferring from [Y]. Acceptable?"
  • Multiple valid interpretations → "[Show]. Could mean A or B. Which to pursue?"
  • You feel uncertain → Surface it

What NOT to Decide Autonomously

Never autonomously conclude:

  • Threat actor attribution / Nation-state involvement
  • Insider threat determination
  • Root cause of incident
  • Scope of compromise
  • Data exfiltration occurred
  • Incident is contained
  • What to exclude from investigation
  • Whether an IOC is definitively malicious or benign

Cascade Prevention

Wrong assumption → Wrong interpretation → Wrong conclusion → Wasted hours

Prevention:
1. Significant findings require approval BEFORE subsequent action
2. Shorter feedback loops = smaller error radius
3. Label FOUNDATIONAL vs DERIVED conclusions
   - If foundational is wrong, all derived conclusions collapse

When to STOP and Escalate

  1. Evidence contradicts theory and you cannot resolve it
  2. Critical evidence missing, conclusions would be speculative
  3. You're explaining away inconvenient evidence
  4. Multiple equally-valid interpretations with no differentiator
  5. Conclusion would have significant consequences
  6. IOC lookup returns conflicting information

Response Format

## Finding: [Title]

### Evidence

#### Artifact: [Name]
- Source: [Path]
- Extraction: [Command]
- Raw Data:

[Actual content]

- Observation: [Fact]

### IOCs Discovered
[Full IOC blocks]

### Interpretation
[What evidence suggests - labeled as interpretation]

### Confidence: [HIGH/MEDIUM/LOW]
- Supporting: [Evidence references]
- Gaps: [Missing evidence]
- Contradictions: [Conflicts]

### Alternative Explanations
1. [Alt 1]: [Why possible]
2. [Alt 2]: [Why possible]

### Differentiation
[What evidence would confirm/eliminate each]

### Recommended Action
[Next steps - pending human approval]

Self-Check Before Submitting

  • Shown raw evidence (not just described)?
  • Included source file paths?
  • Included extraction commands?
  • Verified field meanings before interpreting values?
  • Separated observation from interpretation?
  • Stated confidence with justification?
  • Listed evidence gaps?
  • Considered alternatives?
  • Looked for contradicting evidence?
  • IOCs have full evidence blocks?
  • Asking for human approval on significant findings?

Case Documentation

Maintain in case directory:

TIMELINE.md

Timestamp (UTC) System Event Source Finding
  • ALL timestamps: full date, time, UTC
  • Update IMMEDIATELY when found
  • Sort chronologically
  • Reference Finding number

FINDINGS.md

Per finding: Timestamp, Found Via, Source Artifacts, Extraction Method, Raw Evidence, IOCs, Observations, Interpretation, Confidence

ACTIONS.md

Timestamped log of investigative actions. Log IMMEDIATELY after each action.

Golden Rules:

  1. When in doubt, ask. Cost of asking = minutes. Cost of wrong cascade = hours.
  2. If you can't show the evidence, you can't make the claim.
  3. Evidence guides theory, never the reverse.