AI Forensic Query Guide
AI Forensic Query Guide#
AI forensic analysis starts with ordinary language instead of a specialist query language. Strong questions define the investigation goal, target, time range, and expected output, then narrow the answer through follow-up questions.
Broad Questions That Work Well#
| Goal | Example Question | Expected Result |
|---|---|---|
| Incident traces | "Find signs of compromise in this case" | Execution, account, network, persistence, and evasion evidence |
| Exfiltration | "Check whether there are signs of external data leakage" | USB, cloud, archive, mass access, and outbound network review |
| Personal data exposure | "Find access or transfer traces involving personal data" | File names, paths, access times, storage and network context |
| Insider risk | "Look for suspicious activity on this departing employee PC" | Night activity, USB usage, mass access, account changes, deletion traces |
| Malware infection | "Find evidence that suggests malware infection" | Execution traces, autoruns, suspicious processes, IOCs, MITRE mapping |
| AI usage traces | "Check for AI tool usage or AI coding traces" | Browser, coding tool, project change, download, and execution context |
Follow-Up Flow#
1. Find signs of compromise in this case.
2. Narrow the findings to items related to external data leakage.
3. Reconstruct the timeline around the top three time windows.
4. Show user accounts, executed files, and network connections in those windows.
5. Summarize this with evidence citations for a report.
What Improves Query Quality#
- Time: "after 18:00 yesterday", "30 minutes before and after USB connection"
- Target: username, filename, folder, IP, domain, hash, process name
- Action: execute, copy, delete, archive, upload, login, change privilege
- Judgment: ask to separate confirmed evidence from inferred context
- Format: ask for a timeline, table, report summary, or next-step list
Weak vs Strong Questions#
| Weak | Better |
|---|---|
| "Anything weird?" | "Find incident-related execution, USB, and outbound network activity during off-hours in the last 7 days" |
| "Was data leaked?" | "Check whether document-folder access was followed by USB connection, archive creation, or cloud access" |
| "Is it malware?" | "Evaluate malware infection likelihood using execution traces, autoruns, outbound connections, and file changes" |
How to Verify Answers#
- Open cited evidence and review the original artifact.
- Check before-and-after events in the timeline.
- Use manual review to confirm path, user, hash, and raw log context.
- Separate confirmed evidence from inference in the report.
- Have a qualified examiner verify original evidence before legal use.
Next Steps#
Continue in the service
Move from this guide into a sample workflow or the relevant upload surface. Upload real evidence only when you have lawful authority.