Digital forensics and incident response began with low-level tools such as dd and hex editors. Over time the tooling became more complex, automating many of the tasks that the examiner previously did by hand. 

Artificial intelligence is the latest extension of this automation. But the fundamental truth remains the same: the human examiner must assess the evidence, determine its meaning in the context of the incident, and let it inform the next steps of the investigation.

Left to its own devices, artificial intelligence can hallucinate, misinterpret, and reach erroneous conclusions.

The human examiner's guidance throughout the entire investigative process remains essential for reviewing each critical finding, determining the next logical investigative step, arriving at fact-based conclusions, and ultimately being responsible for those conclusions. Nonetheless, artificial intelligence can streamline many of the investigative steps, conduct useful research, correlate large amounts of data, and significantly improve the efficiency of the investigative process.

AI technologies are undergoing constant change, and the pace of that change is only going to increase.

Rather than try to maintain continuous updates on the ever-shifting state of this art, we have decided to release our thoughts in code. The Artificial Intelligence Incident Response platform, aiir for short, serves as our current commentary on how best to manage the interaction between artificial intelligence and human examiners. It is a platform for AI-assisted incident investigation that maintains a firm human-in-the-loop grounding throughout. It is in no way perfect, but we hope you will find it informative and possibly helpful in your investigations. We encourage comments and discussion on GitHub so the community can collaborate as we all wrestle with these new realities.

AIIR (AI-Assisted Incident Response) is a forensic investigation platform that connects LLM clients to forensic tools through MCP (Model Context Protocol) servers. It enforces human-in-the-loop controls, maintains chain-of-custody audit trails, and enriches tool output with forensic knowledge.

What AIIR Does

• Executes forensic tools (Zimmerman suite, Volatility, Sleuth Kit, Hayabusa, and more) through catalog-gated MCP servers
• Records findings, timeline events, and investigation reasoning with full audit trails
• Enforces human approval for all findings before they enter reports
• Enriches tool output with artifact caveats, corroboration suggestions, and discipline reminders from forensic-knowledge
• Generates IR reports using data-driven profiles with Zeltser IR Writing guidance

MAKE YOUR TOUGH JOB EASIER WITH THE FREE RESOURCES WE PROVIDE

LATERAL MOVEMENT ANALYSIS / EVENT LOG ANALYSIS / MEMORY ANALYSIS AND MORE