-
Notifications
You must be signed in to change notification settings - Fork 5
Case IP KVM
The second bundled case study. Demonstrates dart-agent solving a physical-access insider-threat scenario where an authorized user with legitimate credentials uses an out-of-band IP-KVM channel to access systems outside their normal pattern.
This is the original case the senior-analyst playbook (senior-analyst-v1.yaml) was tuned for.
A medium-sized company has a server room with IP-KVM (network-attached keyboard/video/mouse) for remote-hands operations. An authorized contractor uses their legitimate VPN + IP-KVM credentials to access servers — but does so outside their assigned engagement window, from an unfamiliar IP, and touches systems unrelated to their work order.
The challenge for the agent: the contractor's actions look legitimate at every individual artifact. There are no malware signatures, no failed logins, no obvious lateral movement. The case must be made by correlating low-signal evidence across artifacts.
| Artifact | Contents |
|---|---|
vpn_logs.csv |
Successful VPN logins from the contractor's account |
ipkvm_audit.csv |
IP-KVM session start/end times, target machines |
windows_security.evtx.csv |
Windows logon events on the touched servers |
usb_history.csv |
USB device insertion records on the IP-KVM-controlled machines |
process_tree.csv |
Process trees during the suspected sessions |
mft_subset.csv |
Subset of the file servers' MFT |
case-overview.md |
Operator notes (no ground-truth findings — those come at the end) |
ground-truth.json |
The 12 findings the agent must surface |
-
Loads case context —
case_class: insider_threat_remote_hands. Initial hypothesis: anomalous out-of-band access. -
Calls
analyze_windows_logonson each target server. Surfaces logon-type-3 events with the contractor's account at unusual hours. -
Calls
analyze_usb_historyon the IP-KVM-controlled machines. Surfaces a USB Kingston DataTraveler insertion that was not in the contractor's approved tool list. -
Calls
correlate_eventsto join VPN sessions × IP-KVM sessions × USB insertions.dart-corrflags:- VPN session ended at 22:14
- IP-KVM session continued until 22:47
- USB inserted at 22:31, 17 minutes after the contractor's VPN was already gone
-
The agent recognizes the contradiction: someone else was using the contractor's IP-KVM credentials after they left the VPN. Or the contractor handed off the session.
-
Hypothesis revised. Calls
get_process_treefor the 22:14-22:47 window. Surfaces credential dumps and unauthorized data access. -
Final report cites all 12 ground-truth findings with audit_ids.
- No malware signatures — pure behavioral analysis. The agent must reason from first principles.
- Cross-artifact correlation is mandatory — single-artifact analysis would conclude "everything looks normal".
-
Time-proximity matters —
dart-corrtime-window joins are load-bearing. -
The contradiction is physical — VPN session ended at T, IP-KVM session continued past T. The contradiction is mechanically detectable by
dart-corr, not subjective.
Recall: 1.000 (12 / 12 ground-truth findings)
False positive rate: 0.000 (0 unsupported claims)
Hallucination count: 0
Evidence integrity: preserved (8 files, all SHA-256 unchanged)
Iterations to verdict: 5
Total MCP calls: 14
Audit chain verified: yes
See Accuracy for the methodology.
git clone https://github.com/Juwon1405/agentic-dart.git
cd agentic-dart
export DART_EVIDENCE_ROOT="$PWD/examples/case-studies/case-01-ipkvm-insider"
export PYTHONPATH="$PWD/dart_audit/src:$PWD/dart_mcp/src:$PWD/dart_agent/src"
python3 -m dart_agent --case ipkvm-01 --max-iterations 25After the run completes:
# Verify chain integrity
python3 -m dart_audit verify audit/ipkvm-01.jsonl
# Trace a finding back to evidence
python3 -m dart_audit trace audit/ipkvm-01.jsonl F-013dart_playbook/senior-analyst-v1.yaml includes a next_call_decisions rule:
- when_state: "no USB history yet AND case_class includes physical access"
call: analyze_usb_history
confidence_gain: 0.20The playbook is the only place the rule "look at USB history early in physical-access cases" lives. It's data, not Python — operators can fork the playbook for their own case classes without touching code.
- Case-PtH-Timestomp — the headline case study
- dart-playbook — how playbooks work
- dart-corr — the correlation engine
- Writing case studies — how to add a new bundled case
Agentic-DART — autonomous DFIR agent · architecture-first, not prompt-first · MIT license · github.com/Juwon1405/agentic-dart
- The Memex bet ⭐ Why this design
- About the name
- Architecture-first vs prompt-first
- Architecture deep dive
- Threat model
- Glossary
- dart-mcp — typed surface (native + SIFT adapters)
- dart-agent — senior-analyst loop
- dart-corr — cross-artifact correlation
- dart-audit — SHA-256 chained log
- dart-playbook — senior-analyst sequencing rules (v3 default)
- MCP function catalog (native + SIFT adapters)
- Comparison with adjacent tools
- FAQ
- Operator guide — distro-agnostic
- Running on SIFT
- Live mode
- Accuracy report
-
Roadmap ⭐ Phase 1 ~95% complete
- Phase 1 — Agentic DFIR ⭐ dedicated page · SANS submission
-
Phase 2 — Detection engineering
- The self-learning loop ⭐ design note
- Phase 3 — Agentic SOC
- Phase 4 — Broader agentic security