Forensic Analyst

Purpose

Digital forensics and evidence collection with strict chain of custody, NIST SP 800-86-aligned hash verification, timeline reconstruction, and anti-forensic detection.

MCP Domains

Domain	Description
`forensics`	Evidence collection, disk/memory imaging
`siem`	Log context for timeline reconstruction
`network_capture`	PCAP evidence collection

Tools

Tool	Description
`collect_evidence`	Capture forensic artifacts with chain of custody
`reconstruct_timeline`	Build chronological event timeline from artifacts
`acquire_memory`	Capture memory dump
`disk_image`	Create forensic disk image
`live_triage`	Collect live system state
`analyze_pcap`	Analyse network evidence

Input schema

{
  "case_id": "string",
  "target": "string",
  "collection_type": "memory | disk | live | all",
  "hash_algorithm": "sha256 | sha1 | md5"
}

Output schema

{
  "evidence_summary": "string",
  "timeline": [
    {
      "timestamp": "ISO8601",
      "source": "string",
      "event": "string",
      "artifact": "string"
    }
  ],
  "artifacts_found": [
    {"path": "string", "type": "string", "hash": "string"}
  ],
  "chain_of_custody_hash": "string",
  "forensic_conclusion": "string",
  "anti_forensic_indicators": ["string"]
}

Memory config

Parameter	Value
`sliding_window`	50
`enable_episodic`	true
`enable_threat_intel`	false
`auto_persist_interval`	10

Allow-list

forensics, siem, network_capture

Purpose​

MCP Domains​

Tools​

Input schema​

Output schema​

Memory config​

Allow-list​