evidence.jsonl
Append-only evidence records capture observations from each investigation tool call.
Open Investigator · AI DFIR reporting
Produce incident reports that point back to evidence.
Open Investigator is useful when the desired output is not just an AI summary, but a case directory with structured evidence, command audit records, JSON output, and a readable Markdown report.
Apache-2.0Read-only toolsAI evidence reasoning
Search intent
For searches like AI DFIR reporting tool, incident investigation report generator, evidence-backed security report, and AI incident report.
How it worksEvery run creates artifacts that help responders, managers, and auditors review what was checked and why. The AI can synthesize findings and timelines, but the report remains grounded in host observations and evidence IDs.
Investigation boundaryOpen Investigator collects and correlates evidence. It does not isolate hosts, block IPs, kill processes, delete files, disable accounts, restart services, or change firewall or registry state.
Practical workflow
Use it as a first-pass host investigation loop.
commands.log
Audited command records document what read-only checks were requested and executed.
report.md and report.json
Human-readable and structured reports summarize findings, timeline, affected components, supporting evidence, confidence, and follow-up gaps.
Common searches
Queries this page answers.
AI DFIR reporting toolOpen Investigator maps this search intent to local, read-only host evidence and a reviewable incident report.
incident investigation report generatorOpen Investigator maps this search intent to local, read-only host evidence and a reviewable incident report.
evidence-backed security reportOpen Investigator maps this search intent to local, read-only host evidence and a reviewable incident report.
AI incident reportOpen Investigator maps this search intent to local, read-only host evidence and a reviewable incident report.
Share report.md for human review and keep report.json/evidence.jsonl for downstream tooling.
The source, usage examples, contribution notes, and issue tracker live in the public Open Investigator repository.