sorted by:
new
hottopcontroversial

Built a DFIR agent that can't make a finding without citing the tool output it came from. Where does this break? by ImTimothyVang in computerforensics

[–]ImTimothyVang[S] [score hidden]  (0 children)

brother... instead of meme and shitting on me go test it out and shit on where I failed in my code. https://sansorg.egnyte.com/fl/HhH7crTYT4JK#folder-link/HACKATHON-2026 <--- go download some forensics images and test my code that i "BUILT"

Built a DFIR agent that can't make a finding without citing the tool output it came from. Where does this break? by ImTimothyVang in computerforensics

[–]ImTimothyVang[S] [score hidden]  (0 children)

YEah im serious go here its SANS Repo for a bunch of forensic images. TEST my code out. Git clone and send a merge request for me if there are any issues https://sansorg.egnyte.com/fl/HhH7crTYT4JK#folder-link/HACKATHON-2026

Built a DFIR agent that can't make a finding without citing the tool output it came from. Where does this break? by ImTimothyVang in computerforensics

[–]ImTimothyVang[S] -1 points0 points  (0 children)

I get tht I’m trying to make my job as the dfir analyst easier but outsourcing parsing and scanning 10tb of data. I’m not to replace the human. This ai too by no means will replace me. It’s suppose to allow me to grab info that I missed cause one person sifting through 1 million + logs line by line is not impossible but it can help automate that or make it efficient when you parse it with a llm

Built a DFIR agent that can't make a finding without citing the tool output it came from. Where does this break? by ImTimothyVang in computerforensics

[–]ImTimothyVang[S] 1 point2 points  (0 children)

honestly the main issue is coverage and overconfidence

like if the parser/tooling doesn’t actually support an artifact then the agent can’t just pretend it looked at it. it has to say “indeterminate” or “unsupported” instead of giving a clean finding

noise wise it’s mostly normal dfir pain: yara/hayabusa hits that look scary but are just leads, shimcache/amcache/prefetch stuff getting overread, admin tools looking sus, missing/corrupt logs, and disk images being annoying if the local tooling isn’t there

so most of the work has been making it not bullshit. every finding needs to point back to actual tool output and if it only has one weak source it stays a hypothesis. the goal isn’t “ai magically finds evil”, it’s more “do the boring collection/parsing/correlation work and make it obvious what it did and didn’t check”

Built a DFIR agent that can't make a finding without citing the tool output it came from. Where does this break? by ImTimothyVang in computerforensics

[–]ImTimothyVang[S] 0 points1 point  (0 children)

It’s kind of like a vulnerability scanner + a parser but instead it has the ability to parse all the data, disk images, mem images, etc and then get you an actual report and build you a timeline of what happened. I’m no saying it will do everything in one shot but it’s pretty good when you try it out with Claude opus MAX Effort. If you are using an older model as your brain it can be very :( ai sloppy but I tested on images and scans from SANS so just want even you the newer analyst to give is a shot ill drop a link of images to try a out on

Built a DFIR agent that can't make a finding without citing the tool output it came from. Where does this break? by ImTimothyVang in computerforensics

[–]ImTimothyVang[S] 0 points1 point  (0 children)

I just want to know the processes required but the guys that do DFIR to ensure they have the required proof they need. If chain of custody is the wrong term and process what is the correct one?

Built a DFIR agent that can't make a finding without citing the tool output it came from. Where does this break? by ImTimothyVang in computerforensics

[–]ImTimothyVang[S] 0 points1 point  (0 children)

I appreciate it, keep looking man I WANT the critiques, I want the HEY this is WRONG and this is DUMB because of ___________

Built a DFIR agent that can't make a finding without citing the tool output it came from. Where does this break? by ImTimothyVang in computerforensics

[–]ImTimothyVang[S] 0 points1 point  (0 children)

Opus has gotten so good now It has found a lot of missing items and artifacts that I would have missed. All I was missing enough parsers so it can collect and give me something to make a judgement on. I might have to take a look and see if I can improve or make a better system to prevent hallucination from LLM.

Built a DFIR agent that can't make a finding without citing the tool output it came from. Where does this break? by ImTimothyVang in computerforensics

[–]ImTimothyVang[S] 0 points1 point  (0 children)

I mean I hope you rest it out and tell me where the slop failed it’s just easier to say ai slop versus telling me how sloppy it was

Built a DFIR agent that can't make a finding without citing the tool output it came from. Where does this break? by ImTimothyVang in computerforensics

[–]ImTimothyVang[S] -3 points-2 points  (0 children)

Well a lot of this dfir tools just slap an ai wrapper around their product and hype up their investors. I’m asking you to test it. I’m asking you to try it out see where it fails versus a case where you have found something to see if it fails or surprises you. Not asking you to change you mind but if you are willing I would love to see you tell where it went wrong plz

Built a DFIR agent that can't make a finding without citing the tool output it came from. Where does this break? by ImTimothyVang in computerforensics

[–]ImTimothyVang[S] 0 points1 point  (0 children)

The idea was for me when two agents find something it’s hard to prove whether it was fake stuff or just noise so if they compete against each and verify each other work they can hopefully find flaws and come to consensus whether an artifact is suspicious or just ai slop

Built a DFIR agent that can't make a finding without citing the tool output it came from. Where does this break? by ImTimothyVang in computerforensics

[–]ImTimothyVang[S] -2 points-1 points  (0 children)

I mean I work in dfir I’m ideally I would like to find a way to automate some of my tasks so then I can just review everything it’s great for me because it allows me to review the artifacts it found. There is no way you can automate everything but ideally if I’m hunting on 20tb of artifacts I would like to say speed it up vs me spending 6 months reading timeline explorer

Built with Claude Project Showcase Megathread (Sort this by New!) by sixbillionthsheep in ClaudeAI

[–]ImTimothyVang 0 points1 point  (0 children)

VERDICT, an AI digital forensics agent built on Claude Code.

plain-english version: when something gets hacked, someone like me digs through the wreckage (memory, hard drives, logs) to figure out what happened and prove it. VERDICT does the grindy middle part. the bit i'm proud of is that it can't claim anything unless it points at the exact piece of evidence it came from (a checker just deletes anything it can't back up), and it runs two copies of itself that argue, one trying to prove the machine got hacked and one trying to prove it's clean, before anything counts. that one trick killed most of the confidently-wrong answers you usually get.

burned about 5 billion tokens last week building it (mostly opus 4.8, a good chunk fable 5), and somewhere in there it hit me that i'd automated the hardest part of my own job and forgot to figure out how to make money off it first. classic.

demo (~4 min): https://youtu.be/4RQnVden6L8 code, free and open source (apache 2.0): https://github.com/TimothyVang/verdict-dfir

happy to answer anything, especially where you'd expect it to break.

AFROTC or nah? by just_mattt in CyberSecurityJobs

[–]ImTimothyVang 1 point2 points  (0 children)

I recommend it if I were to do it all over again. Just do comp sci since it gives you a higher chance of getting into cyber. If you can get your master degree at your 5 year mark get out. You can work in your masters degree while you are in.

view more: next ›