r/dfir

▲ 6 r/dfir+4 crossposts

AI in DFIR is broken and We need to rethink how we use AI in digital forensics .

The forensics community has a massive AI problem. Everyone is rushing to plug language models into their workflows to automate triage. But forensics requires absolute certainty. A language model is built to predict text, not to preserve a chain of custody. When you use a standard AI tool to analyze an endpoint, you are trusting a black box. If it hallucinates a single finding, your entire investigation is compromised.

We need to stop treating AI as an oracle that gives us the final answer. Instead, we must treat it as a heavily restricted junior analyst. It should do the heavy lifting of correlating massive datasets, but it must be mathematically forced to prove its work.

If we want to use AI responsibly in an investigation, we have to change the entire methodology:

Kill the Chat Window: A chat log is flat, unpredictable, and loses context rapidly. We need to use visual, node based workspaces where you can see exactly how a piece of evidence led to a specific conclusion.

Enforce Evidence Anchoring: The AI must be completely sandboxed. It should be programmatically blocked from generating any narrative unless that narrative maps directly back to the raw artifact row, like a specific registry key or Master File Table entry.

Immutable Auditing: Every time the AI touches the evidence, it needs to be cryptographically hashed. We need a permanent paper trail of exactly what the model saw and what it suggested, ensuring the whole process is court defensible.

This philosophy is exactly why we built the Narrative Map in the new 0.12.0 update for Crow Eye. We stepped back from just adding basic AI features and built a shared workspace. The AI is physically unable to mark a claim as proven without citing the exact underlying artifact. Every action is logged in a tamper evident chain. It shifts the power entirely back to the human investigator. The AI accelerates the deep parsing and correlation, but you hold the evidence and make the final call.

I want to know how the rest of the community is handling this. Are you trusting the output of commercial AI tools, or are you demanding to see the raw data behind their conclusions?

You can check out our approach and grab the open source release here: Website:https://croweye.com/

Code:https://github.com/GhassanElsman/CrowEye

Good hunting.

reddit.com
u/Ghassan_- — 5 hours ago
▲ 103 r/dfir+3 crossposts

VMware vTPM-encrypted vmem/vmsn decryption ready for volatility3

Recently I ran into a problem: I needed to analyze a VMware snapshot of a Windows 11 25H2 VM, but the VM had a vTPM, which makes VMware silently encrypt the .vmem/.vmsn/.vmss/.nvram. Volatility just couldn't find the kernel, and I couldn't find any existing tool to decrypt these files for offline analysis.

So I reverse-engineered the format with the help of Claude and wrote one. It's called vmem-decrypt (pure Python):

- Recovers the data-file key from the VM password (PBKDF2 → AES-256-CBC key chain VMware labels everything "XTS-AES-256" but it's actually CBC, which trips up most people).

- Decrypts .vmem/.vmsn/.vmss/.nvram.

- Flattens the decrypted .vmem into a flat, Volatility-ready image. (VMware compresses then encrypts, so it's still in a proprietary checkpoint LZ77 layout)

Workflow: pull the password hash from the .vmx (VM-Password-Extractor) → crack with hashcat (mode 27400) → feed the password to the tool → run Volatility. Full steps + format notes in the README.

Tested on VMware Workstation Pro 26H1 / Win11 25H2 (build 26100), Volatility 3. Feedback welcome, especially snapshots from other VMware versions to test the format against.

Repo: https://github.com/heeeyaaaa/vmem-decrypt

(Yes, I used AI to help build this. It's tested and it works, that's what matters. Happy to walk through any part of how it works.)

u/h_e_e_y_a_a_a — 5 days ago