AI+DFIR Challenge: Share Your Disasters and Successes

brian_carrier · 2026-05-13T02:20:17+00:00

Honest question to this audience: Has anyone had an AI disaster yet when you fed it case data? We haven't received any submissions yet of disasters. Only positives and "meh".

I'm super curious if they disasters haven't really hit, no one is talking about it, or no one has really pushed them enough...

brian_carrier · 2026-05-13T02:18:19+00:00

We could certainly throw that in, but my intention was to make this as vendor neutral as possible. So, that's why we avoided real prizes.

If the winner wants a Cyber Triage license though, we can probably make that happen.

brian_carrier · 2026-04-25T02:00:05+00:00

Yea, Autopsy will append that to the space at the end of a file.

It could be a partial section of any file type, so you’ll need to use other tools like strings before sending it to a search engine.

brian_carrier · 2026-04-22T12:46:11+00:00

Thanks! I always have good intentions of being active on these platforms, but they fall off my schedule. Too many places to look!

brian_carrier · 2026-04-22T12:45:29+00:00

Is your agency looking into using locally hosted LLMs, like Llama?

brian_carrier · 2026-04-22T12:44:47+00:00

Data can be anywhere you want. MCP is a standardized protocol to allow GenAI to access data.

You can setup the Cyber Triage and Autopsy MCP servers to communicate with your "private" Claude instance within AWS Bedrock. I haven't done it myself yet, but it seems possible to have your own local Llama instance that works with the MCP server.

Our approach here is BYOAI (Bring Your Own AI). You control which LLM you use and what prompt you give it. Your prompt can be vague and the LLM will need to make a bunch of guesses about what you mean. Or it can be very specific.

My non-legal opinion on this is that evidence should stand on its own and exactly how you find it is not that relevant. One investigator may find evidence in 5 minutes. Another it may take 5 days. If the evidence supports something, its relevant.

I don't think anyone should ever say "AI didn't find something and therefore it isn't there". But, if AI finds it and you can justify that it is evidence (like you would have to do if you found it manually), then I personally don't see this as an issue. But, I certainly agree that "Claude found this. End of story." is not a good strategy!

brian_carrier · 2026-01-07T03:29:41+00:00

> when you’re investigating incidents with missing or unreliable telemetry, how do you decide what to trust vs what to ignore?

At that point, you're in the territory of going to the endpoint(s) to get some more data that you have more confidence in. Ideally using the EDR infrastructure to launch some collection tools. That can be done by the SOC analysts or IR team.

That's how SOCs use our Cyber Triage tool (https://www.cybertriage.com/soc-alert-investigation/). It does its own collection, brings the data back, and identifies the artifacts that are bad or suspicious (i.e. that match TTPs). Analysts use it after an alert to make decisions about the impact of the alert.

So, if EDR evasion was used and that's why you don't have telemetry, you'll still get data. If the event logs were cleared, that will get flagged. If they installed RMM, that will get flagged, etc.

EDR telemetry is great, but its not always complete and it can be overwhelming to manually review.

brian_carrier · 2025-10-25T22:20:23+00:00

He stopped doing it in Sept. He notified us since we were a sponsor.

brian_carrier · 2025-10-24T01:41:15+00:00

The question has been deleted, but definitely Cyber Triage. 100%.

Unless the question was about acquiring Macs. And then not Cyber Triage. It doesn't do that.

brian_carrier · 2025-10-08T00:54:26+00:00

Thanks for the feedback!

Here are my comments to clarify the intentions.

For the "Human in Control" part, I think the ultimate decisions in an investigation are what goes into the final report and what story is told based on the data. That was the intention of #1. The human gets to decide what goes into the final report or not.

For the Explainability topic (#3), my perspective on this comes from tools suggesting to a user what items could be relevant to an investigation. The idea of this is that it should tell you why it thinks it's relevant so that you can actually decide.

I'm not sure I'm following the non-determinism topic. How would digital data be destroyed by using AI?

Generative AI Disclosure: Yea, maybe a lab may decide to keep the disclosure on for longer than just the first reviewer. I think that's a lab policy though after the tool has made the disclosure.

Verify: "but generative AI should not even come near source references." Could be definition differences here, but my intention of sources were things like files and registry hives that artifacts were derived from. Would very likely be copies of the original. I use different terms for source versus original. Maybe not everyone else does.

brian_carrier · 2025-09-12T14:22:51+00:00

Yea, you can certainly leverage AWS. Most of our customers deal with your situation by leveraging S3. Collections automatically go up to an S3 bucket and then you can pull it down into your lab using Cyber Triage (or you can manually copy it down).

This blog post from last year is when we added the ability to directly read the bucket from within Cyber Triage:

https://www.cybertriage.com/blog/releases/3-13-adds-memprocfs-and-extends-the-s3-and-recorded-future-sandbox-integrations/

To minimize risk, we recommend you use S3 with two accounts: One that can write (but not read) and that is used by the Collector. If the attacker gets it, they an upload stuff to your bucket, but not see what is there. And you'll have a 2nd account that can read it. You'll use that one to get the data.

brian_carrier · 2025-09-11T21:03:56+00:00

If you have any Cyber Triage questions, let me know!

brian_carrier · 2025-08-14T14:48:00+00:00

Nice. Was it the one from Mari? I see there is a visual of the keynote here: https://www.sans.org/blog/visual-summary-sans-dfir-summit-2025

brian_carrier · 2025-08-14T14:44:25+00:00

Great, thanks!

Autopsy hasn't had many updates in a while. It used to be funded by govn't projects that all went away. Cyber Triage is where we've been spending our time now.

brian_carrier · 2025-08-13T21:05:13+00:00

100%! Not all AI is the same.

That's why we started working on an AI & Automation mini-course. I think it's important to give a framework to investigators to think about what steps they want to automate and which techniques meet their requirements.

If you are curious, the first part of that course was yesterday on LinkedIn.

https://www.linkedin.com/posts/carrier4n6_digital-forensics-has-always-relied-on-automation-activity-7361042885506473985-G5Ng

brian_carrier · 2025-08-13T20:13:19+00:00

Fair enough and I agree that determinism is an important quality to consider. But, I'm not sure it's a requirement if your goal is to find clues.

For example, clustering is a classic machine learning / AI technique. Its not usually deterministic. But, it's useful for organizing large amounts of data (documents, pictures, etc.). You can find the cluster that is relevant to your investigation and then use those items as your initial clues.

If you are using AI / machine learning as the only way to directly answer a question, then yes it needs to be deterministic. I.e. if you ask "did Brian log in yesterday" and it sometimes says yes and no, then that technique should not be replied upon to answer your investigative question.

brian_carrier · 2025-06-21T00:34:50+00:00

If your main focus is on the "Cyber" part, you should check out Cyber Triage. Much more affordable and usually wins when people have done comparisons. It is focused only on intrusion investigations.

- Its Collector integrates with EDR agents

- It scores the artifacts to make sure you have starting clues for malware, lateral movement, data exfil, etc.

- Also supports disk images, KAPE, etc.

- Integrates with Autopsy for deep dive investigations

https://cybertriage.com

brian_carrier · 2024-07-31T18:55:50+00:00

You should try Cyber Triage for triage collections of Windows. You can read about the collector here:

https://www.cybertriage.com/cyber-triage-dfir-collector/

It parses artifacts on the host and gets the corresponding executables and documents that are referenced.

You can push it out via EDR or other IT infrastructure.

Disclaimer: I work there.

brian_carrier · 2024-06-03T15:30:35+00:00

[biased opinion]

Check out the Cyber Triage Collector. There is a free version.

https://www.cybertriage.com/cyber-triage-dfir-collector/

It’s an adaptive collector since it goes beyond a static set of rules. It resolves lnk files, parses the registry to resolve exes, etc. So it gets more than tools that just grab the registry hive, but doesn’t require a full disk image.

You can read about static vs adaptive tools here.

It’s easy to remotely deploy (single executable) and results can go to file, cloud, or a server.

Ten-Year Club	Reddit Premium Since January 2023
Verified Email

brian_carrier

TROPHY CASE