Forensic Lab Guide
Forensic Lab Guide#
This guide covers how to use unJaena AI's core feature -- Forensic Lab -- to quickly and accurately analyze collected evidence. Through natural language queries, you can discover meaningful evidence from tens of thousands of artifacts and review indicators such as emails, IPs, domains, URLs, and file hashes alongside case evidence.
What is Forensic Lab?#
Forensic Lab automatically examines collected digital evidence (registry, Prefetch, EventLog, browser history, USB records, etc.) to identify key evidence, perform chronological reconstruction, threat classification, and correlation analysis.
Key Features#
- Natural language queries: Ask questions in everyday language without specialized query syntax
- Semantic search: Automatically find related evidence based on meaning, not just keywords
- MITRE ATT&CK mapping: Automatically classify detected threats by kill-chain phases
- Evidence citations: Every analysis result includes specific evidence source references
- Evidence relationship review: Connect case-derived emails, IPs, domains, URLs, and file hashes to original evidence
- Multi-language support: Natural-language queries and artifact search across multiple languages
Starting an Analysis#
Step 1: Select a Case#
- Select the case you want to analyze from the dashboard.
- Confirm the case status shows Ready for Analysis.
- Data upload and indexing must be complete before AI analysis is available.
- Click the AI Analysis tab to navigate to the analysis page.
Step 2: Choose an Analysis Method#
unJaena AI provides four analysis methods. Choose the appropriate method based on your objectives.
Four Analysis Methods#
AI Analysis#
The most powerful analysis method. Through natural language queries, the AI searches evidence and generates comprehensive analysis reports.
Best for:
- Investigating specific suspicious activities
- Getting an overall overview of an incident
- Analyzing correlations between multiple artifact types
- Performing kill-chain analysis
How to use:
- Enter your question in the AI Analysis tab.
- The AI searches for and analyzes relevant evidence.
- Analysis results stream in real time.
- Ask follow-up questions for deeper analysis.
Manual Review#
Directly browse and review collected artifacts.
Best for:
- When you want to examine specific artifacts firsthand
- Manually reviewing data from a specific time period
- Verifying original evidence behind AI analysis results
How to use:
- Navigate to the Manual Review tab.
- Filter by artifact type (Registry, Prefetch, EventLog, etc.).
- Set a time range to view data for a specific period.
- Review individual artifact details.
Timeline Profiler#
Visualize the entire system activity chronologically to detect anomalies.
Best for:
- Understanding the temporal flow of an incident
- Detecting activity during abnormal hours (nighttime, weekends)
- Analyzing temporal relationships between multiple events
How to use:
- Navigate to the Timeline Profiler tab.
- Set the analysis period.
- Review activity patterns on the visualized timeline.
- Click on sections where anomalous activity is detected for detailed information.
Evidence Relationship Review#
Evidence relationship review connects emails, IPs, domains, URLs, and file hashes extracted from case evidence to original artifacts, timelines, and malware IOCs. Treat the result as a relationship map, not a final conclusion; corroborate it with AI analysis, manual review, and timeline evidence before making attribution or legal findings.
Best for:
- Checking whether an IP or domain is tied to malware IOCs
- Reviewing whether an email, username, or file hash repeatedly appears in case evidence
- Connecting malware IOCs to network and file evidence inside the case
- Checking whether the same identifier repeats across cases
How to use it:
- Review key indicators in AI Analysis or Timeline.
- Inspect original artifacts, files, accounts, and timestamps connected to each indicator.
- Recheck confirmed leads against original evidence in AI Analysis, Manual Review, and Timeline.
Unsupported scope:
- Private-account access, credential use, or access-control bypass
- Real-time location tracking or Tor deanonymization
- Collection or storage of raw breach dumps, passwords, tokens, or session cookies
Using Natural Language Queries#
The core of AI analysis is natural language queries. You can ask questions in everyday language without knowing specialized terminology.
Query Examples#
Basic queries:
- "Were there any suspicious activities on this system?"
- "Show me USB device connection records"
- "List all programs executed in the past 7 days"
Specific investigation queries:
- "Were any files copied to external storage after 2:00 PM on March 15, 2026?"
- "Was PowerShell executed at abnormal times?"
- "Find traces of deleted files"
Threat analysis queries:
- "Perform a kill-chain analysis of this system"
- "Find evidence suggesting possible malware infection"
- "Are there traces of communication with C2 servers?"
- "Analyze evidence related to insider threats"
Cross-analysis queries:
- "Analyze whether any files were downloaded after USB connection"
- "Show suspicious activities that occurred after a new account was created"
- "List files accessed after remote connection, in chronological order"
Evidence relationship queries:
- "Check whether IPs and domains extracted from this case are known malicious infrastructure"
- "Track whether the discovered email addresses appear in other case evidence or other cases"
- "Compare the malware file hash with execution traces inside the case"
Using Follow-Up Questions#
The AI maintains previous conversation context. Leverage follow-up questions based on initial analysis results.
First question: "Show me USB connection records"
-> AI: Found 3 USB connection events (3/15 14:32, 3/16 09:15, 3/18 22:47)
Follow-up: "Analyze file activity within 30 minutes before and after the March 15 USB connection"
-> AI: 5 document files were accessed immediately after USB connection, 3 of which were copied to USB
Follow-up: "Show detailed information about the 3 copied files and related user activity"
-> AI: Provides detailed analysis results
Understanding the AI Analysis Report#
AI analysis results are provided in the following structure.
Findings Summary#
Key findings identified in the analysis are organized by priority. Each finding includes related evidence and its significance.
Evidence Citations#
All analysis results include evidence citations in the format [Evidence #N]. This allows you to verify which actual evidence supports each AI claim.
Example:
A USB device (SanDisk Extreme, S/N: 4C530001) was connected at
2026-03-15 14:32:18 [Evidence #1]. Immediately after connection,
access to 'ProjectX_Final.docx' was detected at 14:35:42
[Evidence #2]. This file was copied to the external drive at
14:37:05 [Evidence #3].
Clicking each [Evidence #N] lets you view the original artifact data. This enables you to:
- Directly verify the accuracy of AI analysis.
- Review the full content of the original artifact.
- Identify evidence requiring further investigation.
Timeline#
Discovered events are reconstructed chronologically so you can understand the flow of the incident. Activity during anomalous hours (nighttime, weekends) is highlighted separately.
Confidence Indicators#
AI analysis results include confidence levels for each determination:
| Confidence | Meaning | Recommended Action |
|---|---|---|
| Confirmed | Clearly supported by artifact evidence | Include in report |
| Highly Likely | Supported by multiple indirect evidence | Additional confirmation recommended |
| Requires Further Investigation | Only partial evidence confirmed | Conduct in-depth investigation |
MITRE ATT&CK Kill-Chain Mapping#
AI analysis automatically maps detected threat activities to the MITRE ATT&CK framework. MITRE ATT&CK is an internationally standardized framework that systematically classifies cyber attack tactics and techniques.
Kill-Chain Phases#
Major attack phases identified in the analysis:
| Phase | Description | Detection Examples |
|---|---|---|
| Initial Access | Initial entry point | Phishing emails, malicious downloads |
| Execution | Malicious code execution | Suspicious process execution records |
| Persistence | Maintaining foothold | Registry autorun key registration |
| Privilege Escalation | Elevating permissions | Administrator account acquisition attempts |
| Defense Evasion | Avoiding detection | Log deletion, timestamp manipulation |
| Credential Access | Accessing credentials | Browser saved data access |
| Discovery | Information gathering | System information collection commands |
| Lateral Movement | Spreading internally | Remote desktop connection records |
| Collection | Data gathering | Mass access to specific folders |
| Command & Control | C2 communication | Suspicious external connections |
| Exfiltration | Data theft | Mass USB/cloud copy activity |
| Impact | Damage | File encryption, system modification |
Using Kill-Chain Analysis#
Kill-chain mapping results allow you to:
- Identify the current stage of an attack.
- Predict stages not yet executed for proactive response.
- Connect evidence across stages to build the complete attack picture.
Multi-Language Analysis#
unJaena AI can analyze natural-language queries and artifact content across multiple languages, separate from the default UI and report languages. AI responses primarily follow the analysis language configured for the case.
How It Works#
| Capability | Behavior |
|---|---|
| Natural-language queries | Interprets the meaning of the investigator's input and converts it into search intent |
| AI responses | Primarily follows the analysis language configured for the case |
| Artifact search | Searches evidence content across multiple languages |
Cross-Language Search#
Regardless of the query language, the AI searches artifacts across all languages. For example:
- Asking "Find malware traces" in English will search both English event logs and Korean user activity for relevant evidence.
- Asking in Japanese applies the same search scope.
Tips for Effective Queries#
Be Specific#
Not recommended: "Is there anything weird?"
Recommended: "Show me suspicious activities that occurred during nighttime (10 PM - 6 AM) in the past 7 days"
Specify Time Ranges#
Specifying a time period yields more precise results.
"Analyze USB activity from March 15 to March 20, 2026"
"Find suspicious processes executed in the past 48 hours"
Specify Artifact Types#
Targeting specific analysis subjects enables more focused analysis.
"Show me failed login attempts from EventLog"
"Find programs executed at abnormal times from Prefetch"
"Check items registered for autorun in the Registry"
Request Cross-Analysis#
Analyzing relationships between multiple artifact types provides deeper insights.
"Cross-analyze USB connection timing with file download records"
"Show network activity around the time a new service was installed"
Drill Down Progressively#
Start with a broad scope and gradually narrow down.
Step 1: "Evaluate the overall security posture of this system"
Step 2: "Analyze the suspicious Prefetch files discovered in more detail"
Step 3: "Are there any network connection records related to that executable?"
Frequently Asked Questions (FAQ)#
Q: Can AI analysis results be used as legal evidence?#
AI analysis results are an assistive tool for setting investigation direction and identifying key evidence. For use as legal evidence, verification and confirmation by a professional forensic analyst is required. Do not use AI output alone for court submission, employment or disciplinary action, criminal referral, or financial claims; verify the original evidence and acquisition process separately. You can directly verify the original artifacts through the evidence citations ([Evidence #N]) provided by the AI.
Q: Can the AI produce incorrect analysis?#
The AI analyzes based solely on actual collected evidence, but interpretation accuracy is not 100%. To address this:
- Evidence citations are included for every claim.
- Confidence indicators are provided (Confirmed / Highly Likely / Requires Further Investigation).
- Users can directly verify original evidence.
Q: How long does analysis take?#
It depends on query complexity, but generally:
- Simple queries: 30 seconds to 1 minute
- Complex analysis: 1 to 2 minutes
- Full kill-chain analysis: 2 to 3 minutes
Results stream in real time, so you can review partial results before the full analysis is complete.
Q: Can I review previous analysis results?#
Yes, all analysis conversations are saved per case. You can review questions and results from previous analysis sessions at any time.
Q: How is data security ensured?#
- All data is stored in per-user isolation.
- AES-256-GCM encryption is applied during transit and at rest.
- Data is processed for deletion when the retention period for your plan expires.
- You cannot access other users' cases.
Q: Can I analyze only specific artifact types?#
Yes, specifying a particular artifact type in your query focuses the analysis on that type. You can also filter by artifact type in the Manual Review tab for direct examination.
Q: Can I export analysis results?#
You can export analysis results as PDF or share them with team members. Exported reports include AI analysis results, evidence citations, and timelines.
Next Steps#
- Collector Guide: Detailed collection methods for each platform
- Malware Lab Guide: Malware analysis using YARA/CAPA/Ghidra
Continue in the service
Move from this guide into a sample workflow or the relevant upload surface. Upload real evidence only when you have lawful authority.