AI Forensic Methodology

AI forensics follows the data through a path that traditional forensics does not cover: input to context window, context window to model processing, model processing to output, output to guardrail evaluation, and guardrail evaluation to user delivery. Each transition point is a forensic checkpoint. The investigation reconstructs what happened at each checkpoint to determine where the attack succeeded and where the defenses held.

1. Input Analysis Examine the input that triggered the incident. Was it a direct injection, an indirect injection embedded in external content, or a multi-turn escalation? Reconstruct the exact input sequence from the preserved logs.
2. Model Behavior Analysis Compare the model's response to the expected behavior for the given input. Did the model follow injected instructions? Did it reveal system prompt content? Did it invoke tools outside its authorized scope? The model's behavior during the incident tells you which defense layer failed.
3. Output and Impact Analysis Determine what the model produced and what reached the user. Did the output guardrails catch any part of the exploit? Was sensitive data included in the output? Were tool actions executed? The gap between what the model produced and what reached the user reveals how much the guardrails mitigated.