Login

u/laphilosophia

I am working on a pre-MVP evidence readiness artifact and would value practitioner feedback on the output model.
▲ 2 r/digitalforensics+2 crossposts

I am working on a pre-MVP evidence readiness artifact and would value practitioner feedback on the output model.

Hello. I've shared feedback and blog posts before —some of you may remember-. For some time now, I've been developing a project related to the industry (CS & DFIR/IR), and thanks to the valuable feedback I've gathered from you, I've made significant progress.

I'm now in the phase of pre-MVP validation and gathering expert opinions. Thank you in advance, and I apologize if I've caused any inconvenience.

Question: The artifact is generated from existing security records and public fixture data. It includes source summaries, reliability reasons, limitation statements, manifests, hash lists, and package verification output.

Scope boundaries:

  • it does not claim legal admissibility;
  • it does not prove original source truth;
  • it is not a SIEM, DFIR lab tool, threat detector, or forensic acquisition tool;
  • it focuses on ingestion-onward integrity and handoff clarity.

The question is not "would you buy this product?" The question is whether this kind of package would help during IR, audit, insurance, legal, or internal investigation handoff.

Specific feedback I am looking for:

  1. Are source reliability and limitations clear enough?
  2. Does the artifact separate package integrity from upstream source trust?
  3. What uncertainty is still hidden?
  4. What would make this misleading or unusable in practice?

Artifact repo: https://github.com/tracehound/tracehound-pre-mvp-feedback-artifact Virustotal: https://www.virustotal.com/gui/url/dbdbf56e71c39fcfd158babdbb11b57037fa53b333efa27de619ce919278e66e?nocache=1

u/laphilosophia — 5 days ago
▲ 1 r/cybersecurity

I’m researching forensic readiness workflows around existing security data: WAF logs, SIEM exports, cloud audit logs, EDR alerts, application logs, and similar sources.

Not selling anything, not asking for sensitive data, and not looking for incident details. I’m trying to understand the practical workflow gaps practitioners run into when logs need to become defensible evidence for IR, audit, insurance, legal, or regulatory reporting.

A few questions:

  1. When an incident becomes serious, which log sources usually become the most useful evidence?
  2. Where does the normal SIEM/logging workflow stop being enough?
  3. How do you currently preserve chain of custody or integrity for exported logs?
  4. Do teams actually use WORM storage, signed exports, hash manifests, timestamping, or similar controls in practice?
  5. How do you handle weak provenance cases, such as mutable upstream logs or logs collected after the fact?
  6. What causes the most friction: collection, normalization, retention, integrity verification, correlation, reporting, or handoff to legal/compliance?
  7. When evidence is incomplete or lossy, how is that documented?
  8. What would you expect from a good “forensic readiness” process before an incident happens?

I’m mainly interested in real workflow patterns and failure modes, not vendor recommendations.

reddit.com
u/laphilosophia — 23 days ago
▲ 15 r/computerforensics

I’m researching forensic readiness workflows around existing security data: WAF logs, SIEM exports, cloud audit logs, EDR alerts, application logs, and similar sources.

Not selling anything, not asking for sensitive data, and not looking for incident details. I’m trying to understand the practical workflow gaps practitioners run into when logs need to become defensible evidence for IR, audit, insurance, legal, or regulatory reporting.

A few questions:

  1. When an incident becomes serious, which log sources usually become the most useful evidence?
  2. Where does the normal SIEM/logging workflow stop being enough?
  3. How do you currently preserve chain of custody or integrity for exported logs?
  4. Do teams actually use WORM storage, signed exports, hash manifests, timestamping, or similar controls in practice?
  5. How do you handle weak provenance cases, such as mutable upstream logs or logs collected after the fact?
  6. What causes the most friction: collection, normalization, retention, integrity verification, correlation, reporting, or handoff to legal/compliance?
  7. When evidence is incomplete or lossy, how is that documented?
  8. What would you expect from a good “forensic readiness” process before an incident happens?

I’m mainly interested in real workflow patterns and failure modes, not vendor recommendations.

reddit.com
u/laphilosophia — 23 days ago
▲ 0 r/computerforensics+1 crossposts

SIEM is not enough. Classical DFIR is not the full answer either. And “better logging” is too weak a frame. The real gap is evidentiary continuity in modern, cloud-heavy, application-driven environments.

tracehoundlabs.com
u/laphilosophia — 25 days ago