Case IP KVM

Case study — IP-KVM remote-hands insider

The second bundled case study. Demonstrates dart-agent solving a physical-access insider-threat scenario where an authorized user with legitimate credentials uses an out-of-band IP-KVM channel to access systems outside their normal pattern.

This is the original case the senior-analyst playbook (senior-analyst-v1.yaml) was tuned for. The next_call_decisions rule shown below was first encoded in v1; it is carried forward unchanged in v2 and v3 (current default).

---

The scenario

A medium-sized company has a server room with IP-KVM (network-attached keyboard/video/mouse) for remote-hands operations. An authorized contractor uses their legitimate VPN + IP-KVM credentials to access servers — but does so outside their assigned engagement window, from an unfamiliar IP, and touches systems unrelated to their work order.

The challenge for the agent: the contractor's actions look legitimate at every individual artifact. There are no malware signatures, no failed logins, no obvious lateral movement. The case must be made by correlating low-signal evidence across artifacts.

---

The artifacts (bundled in examples/sample-evidence/)

The case runs against the bundled, byte-stable sample evidence — a categorized, read-only tree in the evidence_root/ shape the agent consumes:

Category	Contents
disk/	Amcache, $MFT, process lists, security events
logs/	Windows Security event log (.evtx + parsed CSV)
macos/, mac/	UnifiedLog, FSEvents, KnowledgeC (cross-platform reach)
memory/	memory-image metadata
web/, linux/	web-access and Linux artifacts

Ground truth lives in the case's truth.json — 5 findings (F-001 through F-005). The measured baseline below traces F-001 (the IP-KVM insertion) and F-013 (the USB-vs-logon contradiction).

---

What the agent does

1. Loads case context — case_class: insider_threat_remote_hands. Initial hypothesis: anomalous out-of-band access.

2. Calls analyze_windows_logons on each target server. Surfaces logon-type-3 events with the contractor's account at unusual hours.

3. Calls analyze_usb_history on the IP-KVM-controlled machines. Surfaces a USB Kingston DataTraveler insertion that was not in the contractor's approved tool list.

4. Calls correlate_events to join VPN sessions × IP-KVM sessions × USB insertions. dart-corr flags:

   • VPN session ended at 22:14
   • IP-KVM session continued until 22:47
   • USB inserted at 22:31, 17 minutes after the contractor's VPN was already gone

5. The agent recognizes the contradiction: someone else was using the contractor's IP-KVM credentials after they left the VPN. Or the contractor handed off the session.

6. Hypothesis revised. Calls get_process_tree for the 22:14-22:47 window. Surfaces credential dumps and unauthorized data access.

7. Final report cites all 5 ground-truth findings with audit_ids.

---

Why this case is good for testing the architecture

• No malware signatures — pure behavioral analysis. The agent must reason from first principles.
• Cross-artifact correlation is mandatory — single-artifact analysis would conclude "everything looks normal".
• Time-proximity matters — dart-corr time-window joins are load-bearing.
• The contradiction is physical — VPN session ended at T, IP-KVM session continued past T. The contradiction is mechanically detectable by dart-corr, not subjective.

---

Measured accuracy

Recall:                 1.000
False positive rate:    0.000
Hallucination count:    0
Evidence integrity:     preserved (67 files, all SHA-256 unchanged)
Iterations to verdict:  5
Audit chain entries:    3 (verified)

See Accuracy for the methodology.

---

Reproducing

git clone https://github.com/Juwon1405/agentic-dart.git
cd agentic-dart

# Full reproduction — deterministic, no API key, under 5 seconds
bash examples/demo-run.sh

After the run completes (output lands in examples/out/find-evil-ref-01/):

# Verify chain integrity
python3 -m dart_audit verify examples/out/find-evil-ref-01/audit.jsonl

# Trace a finding back to evidence (the "3 clicks" claim)
python3 -m dart_audit trace examples/out/find-evil-ref-01/audit.jsonl F-013
python3 -m dart_audit trace examples/out/find-evil-ref-01/audit.jsonl F-001

---

How the playbook was tuned for this case

dart_playbook/senior-analyst-v1.yaml includes a next_call_decisions rule:

- when_state: "no USB history yet AND case_class includes physical access"
  call: analyze_usb_history
  confidence_gain: 0.20

The playbook is the only place the rule "look at USB history early in physical-access cases" lives. It's data, not Python — operators can fork the playbook for their own case classes without touching code.

---

See also

• Case-PtH-Timestomp — the headline case study
• dart-playbook — how playbooks work
• dart-corr — the correlation engine
• Writing case studies — how to add a new bundled case