-
Notifications
You must be signed in to change notification settings - Fork 2
FAQ
No. AIFT never writes to or modifies evidence files. The Dissect framework opens disk images in read-only mode. Integrity is verified through a SHA-256 + MD5 hash chain: hashes are computed on intake and re-verified before report generation. Reports show PASS, FAIL, SKIPPED, or UNAVAILABLE. SKIPPED means hashing was disabled in Settings → Advanced; UNAVAILABLE means verification could not be performed.
It depends on your AI provider.
- Claude, OpenAI, or Kimi: Parsed artifact data is sent to the provider's API servers for analysis. The original disk image is never sent. AI-bound data may be column-projected, deduplicated, and narrowed by the optional AI Date Filter, which applies to every artifact selected for AI analysis.
-
Local model (Ollama, LM Studio, vLLM): Everything stays on your machine. No data leaves your network. Set
ai.providertolocalfor fully offline operation.
Choose your provider based on the sensitivity of the evidence.
AIFT is a triage tool that accelerates initial forensic analysis. Every report includes this disclaimer:
"This report was generated with AI assistance. All findings should be independently verified by a qualified forensic examiner before being used in any legal or formal proceeding."
AIFT supports defensibility through: hash-verified evidence integrity, an append-only audit trail, saved prompts for reproducibility, citation spot-checking, and AI confidence ratings (HIGH/MEDIUM/LOW). However, all findings must be independently verified by a qualified examiner before being submitted in any legal, regulatory, or formal proceeding.
Python 3.10 through 3.13 (inclusive).
Python 3.9 and earlier lack required language features. Python 3.14+ is not yet supported due to potential breaking changes in dependencies, particularly the Dissect framework. If you run an unsupported version, AIFT exits immediately with a clear error message recommending Python 3.13.
Linux is fully supported. AIFT automatically detects the OS type when the image is opened and presents the appropriate artifact set. The current prompt-backed registry exposes 60 Windows artifact entries and 44 Linux artifact entries. Linux support covers shell history, authentication data, user and group accounts, sudoers, logs, services, SSH data, package history, network artifacts, process data, and user activity artifacts. Each Linux artifact has dedicated forensic analysis prompts.
macOS is not currently supported. The Dissect framework supports macOS, but AIFT's artifact selection and AI prompts have not yet been built for macOS forensics.
AIFT itself is free. AI provider costs vary:
- Local models: $0 — runs on your own hardware
- Cloud providers: Costs depend on the provider and model. A typical full analysis with multiple artifacts may use 50K–200K tokens. Approximate per-analysis costs range from under $1 to a few dollars depending on the model and amount of artifact data.
You are responsible for your own API key and associated costs.
Yes. AIFT supports multi-image analysis. Click Add Image on the evidence page to add multiple evidence sources to a single case. Each image is processed independently (intake, parsing, per-artifact analysis), and AIFT generates a cross-system correlation that identifies lateral movement, shared IOCs, and a multi-system timeline across all images. You can mix Windows and Linux images in the same case. See Multi-Image Analysis for the full guide.
No. AIFT is a single-process, single-user application. It uses background threads for parsing and analysis but is designed for one active session at a time. Running multiple browser tabs against the same instance may cause unexpected behavior.
All case data is stored locally in the cases/ directory under the project root. Each analysis gets a UUID directory:
Single-image case:
cases/<uuid>/
├── audit.jsonl # Append-only audit trail
├── case.json # Case metadata
├── images/
│ └── <image_id>/
│ ├── evidence/ # Uploaded evidence files
│ ├── parsed/ # Parsed artifact CSV files
│ └── metadata.json
├── prompts/ # Saved primary analysis prompts
└── reports/ # Generated HTML and JSON reports
Multi-image case:
cases/<uuid>/
├── audit.jsonl
├── case.json
├── images/
│ ├── <image_1_id>/
│ │ ├── evidence/
│ │ ├── parsed/
│ │ └── metadata.json
│ └── <image_2_id>/
│ ├── evidence/
│ ├── parsed/
│ └── metadata.json
├── prompts/
└── reports/
Analysis-input CSVs produced after filtering, projection, and deduplication are written to parsed_deduplicated/ next to the source parsed/ directory. No database is used. All data is in CSV, JSON, and JSONL files on disk.
Yes, in several ways:
-
Investigation context — When setting up an analysis, you provide a free-text description of the investigation (dates, suspects, IOCs, what you're looking for). This is included in the AI prompt and directly shapes the analysis focus.
-
Artifact column filtering — Edit
config/artifact_ai_columns.yamlto control which CSV columns are sent to the AI per artifact type. This reduces noise and focuses the AI on forensically relevant fields. See Configuration Reference. -
Prompt templates — The prompt templates in the
prompts/directory control how the AI is instructed. The system prompt, artifact analysis prompt, chunk merge prompt, and summary prompt can all be reviewed and understood from these files.
Use path mode. Instead of uploading through the browser, select the local path option in the evidence step and enter the filesystem path to your E01, ZIP, or directory. AIFT reads the evidence directly from disk without copying it, which is faster and avoids browser upload size limits.
If you have a folder containing multiple images or triage packages, use Scan Directory beneath the case name. It scans only the folder path you enter, shows the discovered targets, and creates one local-path image card per target.
You can also set a maximum upload size via Settings → Advanced → Evidence Size Threshold (GB). The default is 0 (unlimited). When set to a positive value, uploads exceeding the threshold are rejected with a suggestion to use path mode.
Pull the latest code and reinstall dependencies:
git pull
pip install -r requirements.txtYour existing config/config.yaml will be preserved — new default settings are merged automatically on startup. Case data in cases/ is not affected by updates.
Getting Started
Usage Guide
- AI Provider Setup
- Supported Evidence Formats
- Supported Artifacts
- Multi-Image Analysis
- Understanding the Report
- Chat Feature
Advanced
Reference