DFIR Agent
Digital Forensics and Incident Response agent for investigating security incidents and analyzing evidence.
Overview
Agent Name: DFIRAgent
Scan Type: forensics
Credit Cost: 2 credits
Target Types: Evidence files, system images, logs
Capabilities
- Malware artifact detection
- Incident timeline reconstruction
- Persistence mechanism identification
- Data exfiltration analysis
- Compromised credential detection
- Log correlation and analysis
- Memory forensics integration
- Chain of custody documentation
Usage
# Analyze evidence directory
alprina scan ./evidence --type forensics
# Comprehensive investigation
alprina scan ./incident-data --type forensics --profile comprehensiveAnalysis Areas
- File system artifacts
- Registry analysis
- Network connections
- Process execution history
- User activity timeline
- Malicious file detection
- Lateral movement indicators
- Data exfiltration patterns
Example Output
{
"scan_id": "scan_dfir202",
"findings": [
{
"severity": "critical",
"category": "malware",
"title": "Backdoor Detected",
"file": "/tmp/systemd-update",
"indicators": {
"file_hash": "a1b2c3d4...",
"c2_server": "evil.com:443",
"persistence": "cron job"
},
"timeline": "2025-01-05 03:14:22 UTC"
}
],
"incident_timeline": [
{
"timestamp": "2025-01-05 03:14:22 UTC",
"event": "Suspicious file created",
"artifact": "/tmp/systemd-update"
}
]
}Related
Last updated on