Cyber Forensic Triage Software

Inspiration

Cyber investigations generate massive volumes of logs across endpoints, servers, applications, and cloud environments. Investigators often spend days manually correlating fragmented evidence to reconstruct attack timelines. Modern attackers increasingly exploit legitimate credentials and native system tools, making malicious activity difficult to distinguish from normal behavior.

We were inspired to build a solution that automates forensic triage, preserves evidence integrity, and provides explainable AI-driven insights that investigators can trust.

What it does

Cyber Forensic Triage Software is an AI-powered forensic intelligence platform that transforms fragmented security logs into actionable, legally defensible forensic evidence.

Core Features

🔒 Cryptographically secured log ingestion with SHA-256 hashing
📂 Support for EVTX, JSON, Syslog, and CSV log formats
🤖 AI-powered anomaly and threat detection
📊 Explainable AI (XAI) using SHAP explanations
🔍 Timeline reconstruction and attack correlation
🛡️ Privacy-first local AI copilot using Ollama
📄 Court-ready forensic report generation
📋 Complete chain-of-custody tracking

How we built it

System Architecture

Layer	Technologies
Frontend	Streamlit, Streamlit-AgGrid, Plotly
Backend	FastAPI, Python 3.10+
Log Processing	Drain3, Pydantic
Databases	DuckDB, SQLite, Apache Parquet
AI Layer	Isolation Forest, TF-IDF, SHAP
LLM Layer	Ollama, LangChain
Privacy Layer	Presidio PII Redaction
Security Layer	SHA-256 Hashing, Audit Ledger

Workflow

Secure log ingestion
Cryptographic evidence sealing
Log parsing and normalization
Feature extraction and vectorization
AI-based anomaly detection
Explainable forensic analysis
Timeline reconstruction
Automated forensic reporting

Challenges we ran into

Handling Diverse Log Formats

Security logs originate from multiple systems and vendors. Creating a unified normalization pipeline while preserving forensic accuracy was a major challenge.

Maintaining Evidence Integrity

Ensuring chain-of-custody throughout ingestion, storage, analysis, and reporting required designing a tamper-resistant architecture.

Explainable AI

Security investigators require evidence-backed explanations rather than black-box predictions. Integrating SHAP explanations while maintaining performance was challenging.

Privacy-Preserving AI

Building an AI copilot capable of answering investigator questions without exposing sensitive data to external cloud services required local LLM deployment and PII redaction mechanisms.

Accomplishments that we're proud of

Built a complete end-to-end forensic investigation platform.
Implemented cryptographically verifiable evidence preservation.
Developed AI models capable of detecting previously unseen attack behaviors.
Integrated explainable AI for transparent forensic decision-making.
Created a privacy-first local AI copilot.
Automated generation of court-ready forensic reports.
Successfully demonstrated the full workflow from ingestion to final report generation.

What we learned

This project taught us the intersection of:

Cybersecurity
Digital Forensics
Machine Learning
Explainable AI
Secure System Design
Privacy Engineering

We learned that successful forensic investigations require much more than threat detection. Evidence integrity, auditability, explainability, privacy, and legal defensibility are equally important.

What's next for Cyber Forensic Triage Software

We plan to expand the platform with:

Real-time SIEM integrations
Cloud-native forensic analysis
MITRE ATT&CK automated mapping
Graph-based attack path reconstruction
Enterprise multi-tenant deployments
Federated AI learning
Real-time incident response recommendations
Large-scale SOC integration

Our long-term vision is to create a trusted AI-powered forensic intelligence platform that enables organizations to investigate cyber incidents faster while maintaining the highest standards of evidence integrity and legal admissibility.