Skip to content

History

Revisions

  • wiki: naturalize hardcoded counts (Source of Truth lives in README Hero) Following the same Single-Source-of-Truth cleanup applied to the main repo: wiki pages no longer hardcode '67 typed functions / 42 native + 25 SIFT adapters / 10 of 12 MITRE / 55 tests / 1182 lines'. Phrasing shifts to 'the typed MCP surface', 'native + SIFT adapters', 'broad MITRE enterprise tactic coverage'. Phase-1.md historical version table preserves period-specific numbers (v0.3 = 31 functions, v0.4 = 35 native, v0.5 = 60 functions) because those are historical facts about what shipped on those dates, not claims about current state. The canonical exact name set continues to live in tests/test_mcp_surface.py — the only place that needs editing when a function is added or removed.

    @Juwon1405 Juwon1405 committed May 14, 2026
    6be2ec8

  • wiki: sweep stale 35-native / 60-total counts to current 42 / 67 16 wiki pages had pre-v0.6.0 numeric references that survived earlier QA rounds. Surface count was bumped 60 -> 67 in v0.6.0 (six new supply-chain IOC functions in dart_mcp._v05_supply_chain), and native count went 35 -> 42, but a number of wiki pages still showed the old numbers. Pages corrected: About-the-name, Architecture-deep-dive, Architecture-first-vs-prompt-first, Case-PtH-Timestomp, FAQ, Glossary, Home, Live-mode, MCP-function-catalog, Phase-1, Roadmap, SIFT-adapter-layer, The-Memex-Bet, _Sidebar, dart-mcp Phase-1.md version history table preserves the historical numbers (v0.4 = 35 native, v0.5 = 60 functions) as those are historical facts, not current state. MITRE coverage also corrected from 11/12 -> 10/12 (TA0009 Collection and TA0011 C2 are Phase 2).

    @Juwon1405 Juwon1405 committed May 14, 2026
    b2634ec

  • wiki(qa-r18): v0.5.4 CFReDS Hacking Case section + 36-function bypass test Paired with main repo r18 commit (3b69129). == Updated == ### Accuracy.md - Bypass test: 'documented 35-function set' -> 'documented 36-function set' - New section: 'v0.5.4 — External benchmark: NIST CFReDS Hacking Case' with strict/lenient recall comparison (v0.5.3 0.10/0.40 -> v0.5.4 0.50/0.80) and the paradigm-gap explanation - New 'See also' subsection linking to case-08 README + closed issue #52 + open Phase 2 issues #53/#54/#55 == Why this is in wiki not just main repo == Reviewers reach the wiki via the GitHub right-rail link first, often before they read the README. The wiki Accuracy page has been the 'source of truth for measurement claims' since v0.5.0; v0.5.4 keeping it current with the CFReDS results is non-negotiable per the 4-surface sync rule. == Verified == - All cross-references resolve: case-08 README path, issue #52/53/54/55 links, parse_registry_hive wiki anchor - No drift between this Accuracy page and docs/accuracy-report.md (main repo) or the social-surface advertising (profile + pages)

    @Juwon1405 Juwon1405 committed May 9, 2026
    94cb6f3

  • wiki(qa-r17): two evidence variants + corrected ground-truth count + methodology disclosure Pairs with main repo commit 58b3e5c (v0.5.3). == Why == Round 17 addresses a fair reviewer concern: 'recall=1.0 measured on a 30-line file is not strong evidence — every line is an IOC.' That is correct. The fix is to ship two evidence variants and disclose methodology explicitly, then point at Phase 2 for third-party benchmarking. == Fixed == ### Accuracy.md — '12/12 ground-truth findings' over-claim Bundled find-evil-ref-01 case has exactly TWO ground-truth findings (F-001 amcache anomaly + F-013 USB persistence), not twelve. The '12/12' was a typo or stale value from an earlier draft. Verified against scripts/measure_accuracy.py output: 'true_positives': ['F-001', 'F-013']. Fixed. ### Accuracy.md — '8 files' SHA-256 evidence integrity claim The actual file count walked by measure_accuracy.py's evidence digest map is 61, not 8. Fixed in the table. == Added == ### Two evidence variants — section explaining why both ship Variant A — examples/sample-evidence/ (deterministic) Variant B — examples/sample-evidence-realistic/ (~1:30 IOC:benign) Both score the same ground truth and produce identical headline numbers (recall=1.0 / FPR=0.0 / hallucination=0). The realistic variant rules out the 'small-input over-fit' failure mode by demonstrating the same recall on web-log 1027 lines (37× noise), security events 516 (32× noise), unix auth 517 (29× noise). ### Phase 2 third-party dataset benchmarking Linked to issue #47 (NIST CFReDS, Ali Hadi, DFRWS, Splunk BOTS). Phase 1 establishes the methodology; Phase 2 operationalizes it on community-trusted datasets. == Verified == - Both variant invocations work end-to-end and produce the headline numbers as reported (rerun: 2026-05-09) - 61-file count matches measure_accuracy.py output - Issue #47 exists with workstream split and acceptance criteria

    @Juwon1405 Juwon1405 committed May 9, 2026
    8f2b35e

  • wiki(qa-r13-15): FAQ MITRE 10/12 fix + dart-corr DuckDB ASOF→regular JOIN == Round 13/14/15 — paired with main repo commit 4495790 == Two wiki fixes this round: ### FAQ.md — '11/12 MITRE ATT&CK enterprise tactics' over-claim Note: this fix is identical in shape to round 12's MITRE fix (already in commit ef63a96). This commit catches the second cite location in FAQ — the headline-metric paragraph at 'What's the headline metric?' — that the round-12 sweep missed. Measured by walking dart-mcp function names against MITRE tactic buckets: 10/12 enterprise tactics covered. TA0009 (Collection) and TA0011 (Command-and-Control) are roadmap items. C2 was already disclosed in the FAQ 'What would you change with more time?' answer; Collection wasn't. Fixed the headline metric to '10/12' with explicit TA list and a link to Phase-1 for the gap analysis. ### dart-corr.md — DuckDB ASOF JOIN syntax error The advertised SQL block was: ASOF JOIN mft m ON a.ts BETWEEN m.ts - INTERVAL 15 SECOND AND m.ts + INTERVAL 15 SECOND DuckDB's ASOF JOIN only accepts a single inequality (>=, <=, >, <) in the ON clause. BETWEEN is two inequalities, so this raises: BinderException: Multiple ASOF JOIN inequalities Reproduced on duckdb 1.5.2 (the version pinned in CI). The wiki narrative wants a symmetric ±15-second window for time proximity. The right shape for that is a regular JOIN with the BETWEEN clause in WHERE: FROM auth a, mft m WHERE a.ts BETWEEN m.ts - INTERVAL 15 SECOND AND m.ts + INTERVAL 15 SECOND AND m.timestomp = TRUE Verified the new block returns the expected contradiction row (alice@14:22:00 ↔ /etc/shadow timestomp@14:21:55, within window). == Verification == - Re-ran every Python block on every wiki page (7 total). 6/7 already clean; this fix brings it to 7/7. Each block now actually runs on a fresh duckdb 1.5.2 install. - Re-ran scripts/measure_accuracy.py — recall=1.0, FPR=0.0, hallucination=0 (no regression from the doc fix). == Pattern internalised == DuckDB's ASOF JOIN is a different beast from a regular range JOIN. ASOF is for 'find the most recent prior row' (single inequality); range JOINs are for 'find any row within window' (two inequalities). The wiki's narrative wanted the latter. Going forward, any wiki SQL that runs against DuckDB needs the same dry-run-on-fresh-duckdb check as the rest of the code blocks.

    @Juwon1405 Juwon1405 committed May 8, 2026
    8ffd3c3

  • wiki(qa-r14): kill 'pytest.raises(ToolNotFound)' hallucination in 2 architecture pages Round 14 of QA — every Python code block in the wiki dry-run-tested against actual imports. == Defects fixed == ### Architecture-deep-dive.md and Architecture-first-vs-prompt-first.md Both pages had a Python sketch using: with pytest.raises(ToolNotFound): call_tool('execute_shell', ...) ToolNotFound is NOT an exception class in this codebase. The actual implementation in dart_mcp/__init__.py line 109 is: raise KeyError(f"ToolNotFound: '{name}' is not exposed by dart-mcp") i.e., the string 'ToolNotFound' is a marker inside a KeyError message, not a class name. The real test pattern in tests/test_mcp_bypass.py is: try: call_tool(forbidden, {}) except KeyError as e: assert 'ToolNotFound' in str(e) A judge copying the wiki sketch would get NameError: name 'ToolNotFound' is not defined. Fixed both pages to use the actual KeyError-with-marker-string pattern from the real test. Verified by running both rewrites against a real call_tool import — both pass. ### Other Python blocks reviewed and verified - dart-audit.md AuditLogger usage: ✅ executes (round-10 fix holds) - Operator-guide.md DuckDB query and dart-corr.md DuckDB Why block: 🟢 illustrative placeholders ('<case>.duckdb', 'auth.csv') — wrapped in operator-context narrative; not runnable as-is, but the placeholder syntax (<...>) and surrounding prose make the intent clear. Left as-is. - SIFT-adapter-layer.md and dart-corr.md '# Illustrative' block: 🟢 schema sketches in a python code fence (no exec semantics). Left as-is. == Verification == Both fixed sketches manually executed in a Python REPL with 'from dart_mcp import call_tool' first. Both pass. The fixed pattern is identical (modulo formatting) to what tests/test_mcp_bypass.py::test_unregistered_destructive_function_raises_ToolNotFound actually does — so the wiki teaches the real pattern, not a fictional one. == Pattern internalised (continuing the round-9/10 thread) == Round 9 caught output-key hallucinations (function returns 'flags', not 'findings'). Round 10 caught argument-name and file-path hallucinations (host=, target=, --hunt, run_loop, loop.py). Round 14 caught exception-class hallucinations (ToolNotFound class that doesn't exist; the real implementation uses KeyError + a marker string). The unifying pattern: any wiki/docs Python sketch that names a specific symbol (function, kwarg, class, file path) needs to be diff-verified against the actual code. Sketches that just use 'placeholder.csv' or '<case>.duckdb' are fine because they declare themselves as illustrative.

    @Juwon1405 Juwon1405 committed May 8, 2026
    505799e

  • wiki(qa-r12): kill 11/12 MITRE + UUID4 audit_id + 5KB audit + rm bypass hallucinations == Round 12 of QA — FAQ / Glossary / Comparison deep verification == FAQ.md, Glossary.md, Comparison.md were the 3 'reference' wiki pages that earlier rounds touched only at surface level. Round 12 went through every quantitative/categorical claim on each page and measured against actual code/runtime behavior. == Defects fixed == ### FAQ.md — audit log size claim 5-8x over Advertised: '~3-5 KB per MCP call. 25-iteration run ~120-200 KB' Measured: ~568 bytes per call (1704 bytes / 3 entries on the bundled find-evil-ref-01 demo). 25-iter projection ~13 KB. The advertised numbers were either pre-v0.5 estimates from when audit entries carried full output bodies, or just a guess. Either way, current reality is 5-8x smaller, which actually strengthens the architectural claim ('audit log is verifiable in one pass on any laptop'). Fixed to '500-700 bytes per MCP call' and '12-18 KB' for the 25-iter projection. ### FAQ.md — '11/12 MITRE ATT&CK enterprise tactics' over-claim Measured by walking dart-mcp function names against MITRE tactic buckets: 10/12 covered. The two gaps are TA0009 (Collection) and TA0011 (Command and Control). C2 was already disclosed in the FAQ 'What would you change with more time?' answer ('PCAP analysis for full TA0011 coverage'); Collection wasn't disclosed. Fixed the headline metric to '10/12' with explicit TA list and a link to Phase-1 for the gap analysis. The honest count makes the Phase-2 roadmap motivation crisper. ### Glossary.md — 'Audit ID — UUID4' (round-10 same defect, different page) Round 10 fixed wiki/dart-audit.md (UUID4 → 8-char hex) but Glossary carried the same wrong definition independently. Same code-vs-doc mismatch: secrets.token_hex(4) produces 8-character hex, never UUID4. Fixed. Also corrected the next sentence — it claimed 'the serializer refuses to emit findings'. There is no serializer.py file (round-10 defect class). The actual gate is the finding emitter inside DeterministicAnalyst (in dart_agent/__init__.py). Phrased it that way now. ### Glossary.md — 'Bypass test — execute_shell, eval, rm, etc.' rm is NOT in the bypass test's forbidden list. The actual list asserted by tests/test_mcp_bypass.py is: execute_shell, write_file, mount, umount, eval, exec_python, network_egress, delete_file, system, spawn_process, kill_process rm was a plausible-looking guess that doesn't appear in the code. Replaced with the actual full list, which is more concrete and more impressive than the 'execute_shell, eval, rm, etc.' summary. ### Comparison.md — verified clean Walked every external URL (Velociraptor docs, Plaso, Eric Zimmerman's site, SigmaHQ) — all 200. Walked every cross-reference to phase-2/phase-3 packages (dart-synth #23, dart-responder #26) — both have tracking issues. The TL;DR matrix entries were spot-checked against actual capabilities and stand. No fixes needed. == Verification methodology for this round == 1. Read each claim 2. If quantitative: measure with a script (audit log size, MITRE tactic count, response shape) 3. If categorical: read the cited code/test and confirm the claim is what the code actually does 4. If external: curl with 10s timeout and assert 200 5. Fix any mismatch; verify the fix doesn't introduce a new one == Verified == - 31/31 pytest green (zero regression — wiki-only changes, no code touched) - Bypass test list in Glossary now matches tests/test_mcp_bypass.py line 29-30 + line 127 'negative' set - Audit log size in FAQ now matches measured demo run output - MITRE tactic count in FAQ now matches the actual function-name coverage measurement

    @Juwon1405 Juwon1405 committed May 8, 2026
    808bf9a

  • wiki(qa-r11): 11 hallucinations across 9 pages — function signatures, CLI flags, file refs Pairs with main repo commit c34f661. Round 11 extended round 10's 'wiki/docs cite-vs-reality' sweep to all wiki pages round 10 didn't touch. Found 11 hallucinations across 9 pages. == Defects fixed == ### dart-mcp.md — 22 function signatures wrong This page was the headline catalog of native MCP functions ('The 60 functions') and was citing every one of them with fictional kwargs like host=, target=, path=. This is the most important page after the README for anyone trying to understand the MCP surface. A judge clicking dart-mcp from the sidebar would have hit fictional signatures for nearly every function. Fixed: get_amcache(path) → get_amcache(hive_path) parse_prefetch(target) → parse_prefetch(prefetch_path) parse_shimcache(host) → parse_shimcache(system_hive) get_process_tree(host) → get_process_tree(process_csv) analyze_usb_history(host, time_window) → analyze_usb_history(system_hive, setupapi_log) parse_shellbags(host) → parse_shellbags(ntuser_hive) extract_mft_timeline(host, start, end) → extract_mft_timeline(mft_path, start, end) list_scheduled_tasks(host) → list_scheduled_tasks() detect_persistence(host) → detect_persistence() analyze_event_logs(host, event_ids, time_window) → analyze_event_logs(events_json) parse_unified_log(host, subsystem, time_window) → parse_unified_log(unifiedlog_json) parse_knowledgec(host) → parse_knowledgec(knowledgec_db) parse_fsevents(host) → parse_fsevents(fsevents_csv) parse_browser_history(host, browser) → parse_browser_history(history_db) analyze_downloads(host) → analyze_downloads(downloads_source) correlate_download_to_execution(host) → correlate_download_to_execution(downloads, executions) detect_exfiltration(host, time_window) → detect_exfiltration() analyze_windows_logons(host) → analyze_windows_logons(security_events_json) detect_lateral_movement(host) → detect_lateral_movement() analyze_kerberos_events(host) → analyze_kerberos_events(security_events_json) analyze_unix_auth(host, time_window) → analyze_unix_auth(auth_log_path) detect_privilege_escalation(host) → detect_privilege_escalation() analyze_web_access_log(path, rules) → analyze_web_access_log(access_log) detect_webshell(path) → detect_webshell(webroot) detect_brute_force_rdp(host) → detect_brute_force_rdp(security_events_json) detect_credential_access(host) → detect_credential_access() detect_ransomware_behavior(host) → detect_ransomware_behavior() detect_defense_evasion(host) → detect_defense_evasion() detect_discovery(host) → detect_discovery() correlate_timeline(start, end, sources) → correlate_timeline(events) All verified against live inputSchema.required. No-arg functions (the post-Phase-1 detect_* family) had fictional '(host)' parameters that don't exist in the schema at all. ### Case-PtH-Timestomp.md — list_scheduled_tasks(host=...) Same residual fix as docs/case-pth-timestomp.md (round 10 caught 3 of 4 fictional signatures on this page; r11 caught the last one). ### Operator-guide.md / Running-on-macOS.md — --evidence flag Both pages advertised '--evidence /path/to/evidence' as a CLI flag. Round 10 caught the same hallucination in Live-mode.md but missed these two operator-facing pages — the SIFT VM install + macOS dev-mode pages a judge would land on after the README directs them to operator-guide. Fixed both to use 'export DART_EVIDENCE_ROOT=...' (the actual env-var pattern) before invoking the agent. ### Case-IP-KVM.md / Running-on-SIFT.md / Writing-case-studies.md — missing --out All three advertised 'python3 -m dart_agent --case ID --max- iterations 25' but --out is a required argparse argument. Without it the CLI errors with 'argument --out is required'. Added --out to the example invocations on all three pages. ### FAQ.md — '36th appears or one of the 35' The 'Is the MCP surface really fixed in size?' answer used '35' as the surface-count anchor. Total surface is 60 (35 native + 25 SIFT adapters), so the 'a 36th appears' phrasing has been stale since v0.5. Fixed to 'a 61st appears or any of the 60 (35 native + 25 SIFT adapters) disappears'. The same page's overview (line 99) already cited 60 correctly, making the line-25 mistake an inter-paragraph drift inside one page — caught by re-reading from a judge's flow rather than from a count-grep. ### dart-corr.md — illustrative pseudocode framing The pseudocode block was labeled '# dart_corr/__init__.py — simplified', which an attentive reader could mistake for a pointer at a real file. dart_corr/ contains only README.md; the actual correlation code is in dart_mcp/__init__.py. The page's 'Implementation note' at the bottom already says this, but reading the pseudocode header in isolation gives the wrong impression. Reframed the comment to 'Illustrative — real implementation lives in dart_mcp/__init__.py' inline so the framing is correct at point-of-read. == Verification approach == For each function-signature fix: 1. Pulled the live inputSchema.required from list_tools() 2. Verified the kwarg names match what dart_mcp/__init__.py actually accepts 3. Where the old wiki signature included optional kwargs that don't exist (e.g., 'time_window' on detect_exfiltration), dropped them rather than mapping to a different optional For CLI fixes: confirmed against 'python3 -m dart_agent --help' output (only --case, --out, --max-iterations, --mode, --prompt, --model, --dry-run exist). == Pattern internalized == Round 10 found a few signature hallucinations on the prominent Case-PtH page. Round 11 showed they were endemic on the headline catalog page (dart-mcp.md) — every single one of 22 cited functions had a fictional kwarg. Likely cause: the wiki was drafted from a v0.3-era memory of the surface, then never re-synced to the actual schema during the v0.4/v0.5 expansions. Going forward: any wiki page that lists multiple function signatures gets re-grep'd against list_tools() schema after every surface change, not just every release.

    @Juwon1405 Juwon1405 committed May 8, 2026
    ef63a96

  • wiki(qa-r10): kill function-signature + file-existence hallucinations across 6 pages Pairs with main repo commit 8a1917b. Round 10 was a 'judge follows every advertised command line by line' pass — surfaced 6 distinct hallucinations a SANS judge would have hit if they tried to reproduce anything from the wiki. == Defects fixed == ### Accuracy.md — broken script reference Advertised 'bash scripts/run-accuracy-suite.sh'. That script doesn't exist and never has. The actual reproducer is 'python3 scripts/measure_accuracy.py' with the standard PYTHONPATH export. A judge running the README's accuracy claim through this page would have hit: bash: scripts/run-accuracy-suite.sh: No such file or directory Replaced with the real measure_accuracy.py invocation, which was verified end-to-end (recall=1.0, FPR=0.0, hallucination_count=0, evidence_integrity_preserved=true). ### Case-PtH-Timestomp.md — 3 function-signature errors All three are the same class of mistake — the wiki cited positional/keyword args that don't exist on the actual MCP tools: 'dart-agent --hunt' → 'python3 -m dart_agent --case ... --out ... --mode deterministic' 'get_process_tree(host=...)' → 'get_process_tree(process_csv=...)' 'analyze_windows_logons(host=...)' → 'analyze_windows_logons(security_events_json=...)' 'parse_prefetch(target=...)' → 'parse_prefetch(prefetch_path=...)' These same mistakes live in docs/case-pth-timestomp.md (fixed in the paired repo commit). Verified by pulling live inputSchema.required from list_tools() for each tool. ### dart-agent.md — run_loop() and 4 fictional files The page advertised: - 'run_loop() in dart_agent/src/dart_agent/__init__.py' - A file inventory citing loop.py, decision.py, hypothesis.py, serializer.py — none of which exist. The actual structure is __init__.py + __main__.py + live.py. The senior-analyst loop is the DeterministicAnalyst class's .run() method (4 internal phases: _phase_timeline → _phase_hypothesis → _phase_validate_usb → _phase_finalize). Rewrote both the 'What it owns' bullet and the Files block to match reality. Added an explanatory note that the agent is small enough to keep its control flow in __init__.py. ### dart-audit.md — 3 hallucinations in one example The advertised AuditLogger.log() example used: - outputs={...} — actual kwarg is 'output' (singular) - cpu_ms=42 — no such kwarg - bytes_read=1024 — no such kwarg Real signature is: log(tool_name, inputs, output, iteration, token_count_in, token_count_out, finding_ids=None) Same page advertised audit_id type as 'UUID4' — actual is 8-character hex (secrets.token_hex(4)). Same page advertised 'output/<run_id>/<audit_id>.json' as the per-call output storage location — that directory layout doesn't exist; outputs are referenced by SHA-256 digest only in deterministic mode. Fixed all three. Verified the corrected example works as a copy-paste — wrote a test audit log, verified the chain, ran CLI (verify + trace) all green. ### dart-corr.md — serializer.py hallucination Page claimed UNRESOLVED contradictions are blocked by 'the serializer (dart_agent/serializer.py)'. There is no serializer.py file. The blocking happens inside DeterministicAnalyst's finding emission path in __init__.py. Rewrote the sentence to point at the real location. ### Live-mode.md — 2 hallucinations in the headline example - '--evidence /mnt/case-evidence' — no such CLI flag. Real pattern is 'export DART_EVIDENCE_ROOT=/path' before invoking the agent. - 'Claude sees exactly 35 typed forensic functions' — should be 60 (35 native + 25 SIFT adapters). Stale from the v0.4 surface, missed in earlier rounds because Live-mode.md wasn't part of the surface-count grep targets. Fixed both. Added an explicit '(Add --dry-run to use a scripted mock Claude with no API key)' line for CI / offline reproduction. == Verification approach == For each defect: 1. Read the wiki claim 2. Pulled the actual code/schema (inputSchema, argparse output, filesystem ls, AuditLogger signature via inspect) 3. Compared advertised ↔ actual 4. Fixed the wiki, then re-verified the fixed example by either running it (Accuracy.md, dart-audit.md) or by checking it would no longer raise on a copy-paste == Pattern internalised == Round 9 caught output-key hallucinations in code examples. Round 10 caught argument-name hallucinations and file-path hallucinations in tutorial prose — a different surface that print-output dry-runs don't cover. Going forward, any wiki/docs page that references a function by name + signature should be diff-checked against the live inputSchema.required list whenever the underlying code changes.

    @Juwon1405 Juwon1405 committed May 8, 2026
    1c089f4

  • wiki(qa-r7): replace 10 dead external reference URLs with verified live alternatives Pairs with main repo commit 56879b8. Comprehensive external URL reachability sweep across all 4 surfaces (repo + wiki + profile + pages — 193 unique URLs, 332 references) surfaced 10 dead links, all in MCP-function-catalog.md. Replacements: == Microsoft docs migration (4 URLs) == Microsoft moved virtually all 'docs.microsoft.com/en-us/windows/...' audit and forensic doc paths under 'learn.microsoft.com/en-us/previous-versions/' when learn.microsoft.com became the canonical landing page. Old paths return 404, not 301-redirect, so the references die silently. - docs.microsoft.com/.../auditing/audit-logon-events → learn.microsoft.com/.../previous-versions/.../basic-audit-logon-events - docs.microsoft.com/.../sysinfo/sysmain-cache (Prefetch format) → github.com/libyal/libscca prefetch-format.asciidoc (most-cited community spec; the canonical reference Eric Zimmerman, Sarah Edwards, and forensics.wiki all link to) - docs.microsoft.com/.../web-shell-threat-hunting (Microsoft killed this entire path) → attack.mitre.org/techniques/T1505/003 (canonical web-shell ref that actually outranks Microsoft's docs in field practice anyway) == Other dead links (5 URLs) == - andreafortuna.org/2019/05/06/amcache-blog → github.com/EricZimmerman/AmcacheParser (AmcacheParser is what every working Amcache reference cites; Andrea Fortuna's blog post pre-dated AmcacheParser becoming the standard) - tzworks.com/prototypes/shellbags → forensics.wiki/shell_item (TZWorks restructured product pages; forensics.wiki is the community-maintained alternative) - bsi.bund.de/EN/IT-Security/Cyber-Security → bsi.bund.de/EN/Home/home_node.html (path moved on BSI site restructure; homepage stable) - sans.org/white-papers/35107 → sans.org/blog/forensics-101-acquiring-an-image-with-ftk-imager (35107 was a paywalled paper; SANS pulled the gate, the blog acquisition guide covers the same material on the open web) - trustwave.com/.../timestomp-mft-shenanigans → sans.org/blog/digital-forensics-detecting-time-stamp-manipulation (Trustwave Spiderlabs blog post archived; SANS has equivalent coverage of the SI vs FN timestomp detection pattern) == Service downtime (1 URL) == - news.sophos.com/en-us/category/threat-research/ (503 service unavailable) → cisa.gov/news-events/cybersecurity-advisories (CISA's #StopRansomware advisories cover the same TTP-catalog space Sophos's Active Adversary Playbook does, with the bonus that CISA is a stable government domain.) == Side fixes that surfaced during the sed pass == - Removed duplicate AmcacheParser line (one with ericzimmerman.github.io, one with the canonical github.com/EricZimmerman/AmcacheParser) - Removed duplicate CISA line (Ransomware Indicators / Cybersecurity Advisories were pointing at the same URL) - Restored MITRE ATT&CK web-shell line that an ampersand-bearing sed accidentally chewed up (the ATT&CK ampersand collided with sed's & meaning 'replacement back-reference') == Verified == All 9 new external URLs return HTTP 200 with valid content. No introduced regressions. transfer.sh (503 in case-04 phishing-to-exfil evidence) is left as-is — it's an intentional forensic IOC, not a reference link, and its IOC value is independent of current uptime.

    @Juwon1405 Juwon1405 committed May 8, 2026
    6d8c1eb

  • wiki(qa-r6): kill v2-default residue + correct reference counts to ground truth Pairs with main repo commit 9ebdb97. Three pages touched: == _Sidebar.md (right-hand nav, every page) == Line 18 was advertising '(v2: 10 phases, 25 sources)' — appeared in the right-hand navigation of every wiki page, contradicting the v3-default story we'd told everywhere else. The user caught this exactly because it appeared next to every wiki page they opened. Now reads: '(v3 default: 10 phases, 42 references)'. == dart-playbook.md == Line 23 had a literal '**v2 is the default for any new case.**' sentence sitting on the same page as the v3-default header above it. Rewritten to '**v3 is the default for any new case.** v2 is retained as the methodology baseline...'. Line 79 (Reference corpus section) had '39 published references organized into 5 categories. v3 adds **14 new** vs v2'. Rewritten with ground-truth counts measured directly from the yaml: '42 published references organized into **6 categories**. v3 adds **+17 net items vs v2's 25**' with the per-category diff broken out (15 indust + 2 inspiration + 2 vendor − 2 primary consolidation). Line 92 was a top-level '## senior-analyst-v2 — methodology lineage' section sitting at the same heading depth as the v3 industrialization section. Re-framed as '## Methodology lineage (inherited from v2, still authoritative in v3)' so it reads as v3's foundation, not as a competing version. == Why this matters == A SANS judge — or any wiki reader — opening the dart-playbook page or the right-hand nav would have seen 'v2 default' in plain English right after reading 'v3 default' elsewhere. That contradiction looks worse than either single error: it looks like the project doesn't know its own state. Round 6 closes the loop.

    @Juwon1405 Juwon1405 committed May 3, 2026
    8901731

  • wiki(qa-r5): playbook v3 surface — honest framing + line count + v2/v3 default fixes Pairs with main repo commit 77f2334. Twelve files touched on the wiki side: - dart-playbook.md ........... v3 'industrialization' section rewritten with 'data scaffold; runtime activation post-SANS' framing. Anatomy section flipped from senior-analyst-v2.yaml to senior-analyst-v3.yaml with v3-additions vs v2-carry-over grouping. Bundled-playbooks table line count 1135 → 1182. Forking instructions now point at v3 as source. Operator-notes citation moved to v3. 'Six principles every senior analyst remembers' sourced from v3 (inherited from v2). 'See also' adds v3 link. - Phase-1.md ................. v3 line count 1135 → 1182. 'Playbook v3.1' release-history row clarified to 'Playbook v3 patch (no separate v3.1 file)'. - Roadmap.md ................. v3 line item rewritten with 'YAML data scaffolds' framing + issue #44 link + line count update. - SIFT-adapter-layer.md ...... 'playbook v3.1' → 'playbook v3'. - The-Memex-Bet.md ........... 'Playbook v2' → 'Playbook v3 (default)'. - Case-IP-KVM.md ............. v1 historical context preserved with a 'now default in v3' annotation appended. - Case-PtH-Timestomp.md ...... same v1 historical / v3 current-default annotation pattern. - Writing-case-studies.md .... v1 reference → v3 default in the next_call_decisions tuning instruction. == Why this matters == A SANS judge reading dart-playbook.md and then opening dart_agent/__init__.py would have found the 'HMM operationalized in the agent' / 'every run self-classifies' / 'triggered when any phase exits' claims absent from the runtime path. Round 5 fixes that — documentation and code now agree, with the runtime activation work explicitly deferred and tracked at issue #44. No code changes on the wiki side; pure documentation. Main repo's 77f2334 covers the v3 yaml header and the source tree.

    @Juwon1405 Juwon1405 committed May 3, 2026
    0ac8fc1

  • wiki(qa-r4): MCP-function-catalog title corrected to reflect actual coverage The page title claimed '60 typed forensic functions (35 native + 25 SIFT Workstation adapters)' but the body only catalogued the 35 native functions — the SIFT adapters were never inline-listed here. That made the page misleading: anyone Ctrl-F-ing for 'sift_vol3_windows_pslist' on this page would find nothing and assume it was missing from the project. Title now reads '35 typed native forensic functions' and a top-of-page note explicitly directs the reader to [[SIFT-adapter-layer]] for the other 25. Quick-navigation table now ends with: | **Native total** | **35** | | SIFT Workstation adapters | 25 | see [[SIFT-adapter-layer]] | | **Grand total MCP surface** | **60** | This way the page is honest about what it covers and where to find the rest. Filling out the SIFT adapter inline catalogue here (issue #31 on the main repo) is post-SANS work.

    @Juwon1405 Juwon1405 committed May 3, 2026
    553a7b3

  • wiki(qa-r3): fix '6-test bypass suite' → '7-test' in 3 locations mcp_bypass added a 7th test in v0.5.2: test_correlate_timeline_rejects_sql_injection_attempts Phase-1.md (1 mention) and Roadmap.md (2 mentions) all updated. Pairs with main repo commit 4cea439 (QA round 3).

    @Juwon1405 Juwon1405 committed May 3, 2026
    b73382b

  • wiki(qa-r2): sync 22→31 tests, add v0.5.1/v0.5.2 timeline, v1 playbook line count Follow-up sync after main repo's v0.5.2 landed (defensive runtime guards + 3 regression tests). The recent on-main 'wiki — 13 pages updated' sweep correctly moved every surface to 60 tools, but the test-count bumped from 22 to 31 in v0.5.2 and a few wiki pages hadn't caught up. Counts (5 files): - FAQ.md '22 / 22 tests passing' → 31 / 31 - Operator-guide.md 'All 22 tests should print OK' → 31 - Phase-1.md '22 of 22 tests passing' → 31 of 31 - Roadmap.md '22 of 22 tests passing' → 31 of 31 - Running-on-macOS.md 'Run all 22 tests' / 'All 22 tests pass on M1/M2/M3' → 31 Timeline (Phase-1.md): - Added v0.5.1 row (2026-05-03 — Evergreen visuals + full-surface QA) - Added v0.5.2 row (2026-05-03 — Defensive runtime guards + 31 tests) - Reordered v0.4.1 / Playbook v3 / v3.1 chronologically so the table reads top-to-bottom in actual ship order rather than the previous near-random sequence Playbook line counts (dart-playbook.md, 2 places): - senior-analyst-v1.yaml 128 → 133 lines (v0.5.2 patched the volatile_first phase to reference real registry tools; the Memory Capture phase grew by 5 lines with the explanatory rationale comment) - Annotated the legacy comment so future readers know why v1 still has a 'memory' phase even though native memory functions aren't on the v0.5 registry Phase-1's two intentionally-historical rows preserved verbatim: - 'v0.4 → 35 native, 20 tests' — release-time state - 'v0.5 → 60, 22 tests' — release-time state These are timeline facts, not status claims, so they do NOT bump.

    @Juwon1405 Juwon1405 committed May 3, 2026
    f1ede8b

  • wiki QA pass: synchronize 13 pages to v0.5 reality (60 tools, 22 tests) Companion to main repo commit 52f975d (v0.5.1 QA pass). Updated to reflect the v0.5 SIFT adapter layer (35 native + 25 SIFT = 60 typed read-only MCP tools) and the v0.5 test suite expansion (20 → 22 cases): About-the-name.md 'The 35 typed dart-mcp functions cover...' → 'The typed dart-mcp surface (35 native + 25 SIFT Workstation adapters = 60 functions) covers...' Test count 20/20 → 22/22 across all references. Architecture-deep-dive.md ASCII architecture box: 'dart-mcp 35 typed forensic functions' → 'dart-mcp 60 typed forensic functions (35 native + 25 SIFT)' Architecture-first-vs-prompt-first.md 'The MCP surface is exactly 35 functions, by name' → 'The MCP surface is exactly 60 typed functions, by name (35 native + 25 SIFT Workstation adapters)' Case-PtH-Timestomp.md (2 references) updated parallel to docs/. FAQ.md Question heading: 'Is the MCP surface really exactly 35 functions?' → 'Is the MCP surface really fixed in size?' Answer body: counts updated to 60 / 22-22. Glossary.md dart-mcp definition: 35 → 60. 'For Agentic-DART v0.4: exactly 35' → 'For Agentic-DART v0.5: 60 (35 native + 25 SIFT Workstation adapters)' Home.md (TOC) 'the 35 forensic functions, schema, bypass tests' → 'the 60 forensic functions (35 native + 25 SIFT adapters), schema, bypass tests' 'why the MCP surface is exactly 35 functions, not 28, not 35' rephrased to avoid count-anchoring. Live-mode.md (2 references) parallel to docs/. MCP-function-catalog.md Page title: '· 35 typed forensic functions' → '· 60 typed forensic functions (35 native + 25 SIFT Workstation adapters)' Operator-guide.md 'All 20 tests should print OK' → 'All 22 tests should print OK' Phase-1.md Body: '35 typed forensic functions' / '20 of 20 tests passing' counts updated. Timeline table: ADDED row for 2026-05-02 v0.5 (SIFT Workstation tool adapter layer → 60 functions, 22 tests passing). v0.4 historic row preserved verbatim. Roadmap.md Three references to 35 / 20-20 updated to v0.5 numbers. Running-on-macOS.md 'Step 3 — Run all 20 tests' → '... 22 tests' 'All 20 tests pass on M1/M2/M3' → 'All 22 tests pass on M1/M2/M3' The-Memex-Bet.md 'MCP surface (35 typed functions)' → 'MCP surface (60 typed functions: 35 native + 25 SIFT adapters)' 'The 35 functions are not a guideline...' → 'The 60 functions (35 native + 25 SIFT Workstation adapters) are not a guideline...' _Sidebar.md Two TOC labels: '(35 functions)' → '(60 functions: 35 native + 25 SIFT)' dart-mcp.md 'exposes exactly 35 typed forensic functions' → 'exposes 60 typed forensic functions (35 native + 25 SIFT Workstation adapters)' Section heading 'The 35 functions' → 'The 60 functions (35 native + 25 SIFT adapters)' SIFT-adapter-layer.md Preserved verbatim — line 18 'its own 35 forensic functions' is historic context describing the pre-v0.5 state.

    @Juwon1405 Juwon1405 committed May 2, 2026
    2b823cf

  • wiki: add SIFT-adapter-layer page + Home TOC link Documents the v0.5 SIFT Workstation tool adapter layer: - 25 typed wrappers (Volatility 3 ×12, Eric Zimmerman ×8, YARA ×2, Plaso ×2) - Binary resolution rules per adapter (env-var override -> PATH -> error) - Architectural contract every adapter must satisfy (read-only sandbox, SHA-256 audit, subprocess timeout, structured output, graceful degradation, schema parity) - Verification commands Pairs with main repo commit 403a5ce.

    @Juwon1405 Juwon1405 committed May 2, 2026
    9ffcb9e

  • wiki: Phase 1 boost — dedicated page + Roadmap expansion == The problem == Phase 1 was visually understated relative to Phases 2/3/4: Roadmap.md before: P1=35 lines, P2=40, P3=43, P4=24 P1 was the SMALLEST despite being the current focus. This created the impression that Phase 1 was a thin foundation followed by ambitious future plans, when in fact Phase 1 IS the SANS submission and contains essentially all the load-bearing architecture. == Fixes == 1. Roadmap.md Phase 1 section — expanded from 35 to 79 lines: * NEW intro paragraph explaining what 'agentic DFIR' means * NEW 'architecturally complete because' bullet block enumerating the 5 architectural guarantees that propagate unchanged into Phases 2/3/4 * REORGANIZED 'Done' into 4 subsections: Core architecture, Cross-platform coverage, Methodology (3 playbook versions), Validation, Documentation * NEW 'Remaining for Phase 1' table with status + issue links * NEW 'What Phase 1 explicitly does NOT do' section (5 items with deferred-to-Phase explanation, each with issue link) 2. Roadmap.md intro — added at-a-glance phase summary table showing Phase 1 status (~95% complete, closes 2026-06-15) at the top of the page 3. NEW dedicated page: Phase-1.md (~140 lines) * Operator's-eye summary written for someone who lands on this page directly without reading the full Roadmap * Sections: in-one-sentence / what ships / what remains / what we explicitly DO NOT do / versions shipped / where to go next * Versions table chronicles every release Apr 28 → May 01 * Cross-links to Memex Bet, Architecture deep dive, Threat model, Running guides, dart-playbook 4. _Sidebar.md — P1 link updated: * Was: anchor link to Roadmap#phase-1 * Now: dedicated [Phase-1] page (more prominent) * Sidebar Roadmap entry now shows '~95% complete' subtitle 5. Home.md — P1 link updated to dedicated page + bullets enriched with status / closing date / Phase 2/3/4 timing == Result == Roadmap.md after: P1=79 lines, P2=40, P3=43, P4=24 Plus dedicated Phase-1 page accessible from Sidebar + Home Wiki broken links: 0 maintained Wiki page count: 26 → 27

    @Juwon1405 Juwon1405 committed May 1, 2026
    9068f3e

  • wiki: dart-playbook — add Yamato Security as external reference Wiki update following v3.1 patch (commit 45580dd in main repo). == Changes == - vendor_research count updated (10, +2 vs v2 — Roberto Rodriguez OTRF and Zach Mathis Yamato Security Tokyo) - New 'related_tools_for_inspiration' category added with 2 entries: Hayabusa and EnableWindowsLogSettings, both Yamato Security Tokyo - Footnote added below the standards section with explicit external-attribution disclaimer: 'Yamato Security is an independent Tokyo-based DFIR group; Agentic-DART has no affiliation or partnership with them.' == Why == Tokyo-based DFIR community recognition is a credibility signal, and Yamato Security has shipped some of the best open-source EVTX tooling. Crediting them as external prior art (without conflating ownership) is the correct posture for SANS judges who know the Japanese security ecosystem. == Verified == - 0 broken wiki links maintained - All Yamato citations explicitly marked as external/third-party

    @Juwon1405 Juwon1405 committed May 1, 2026
    7d466bf

  • wiki: surface Phase 1 in Home + Sidebar (was previously omitted) == Problem == The Roadmap section in both Home.md and _Sidebar.md jumped straight from Phase 2 to Phase 4. Phase 1 — the SANS FIND EVIL! 2026 submission that is the entire current focus — was conspicuously missing from the top-level navigation surfaces. This made the wiki read like 'we're already past Phase 1' to anyone landing on Home or scanning the Sidebar — exactly the wrong impression for a SANS judge or first-time visitor evaluating the submission. == Fix == Home.md — Roadmap section: Added Phase 1 as the FIRST entry, marked with ⭐ and 'current focus', with deep link to the Phase 1 anchor in Roadmap.md. _Sidebar.md — Project section: Promoted the Roadmap link to a parent with four nested deep-links (Phase 1 ⭐ / Phase 2 / Phase 3 / Phase 4), each pointing to the matching anchor in Roadmap.md. The Roadmap.md page itself already contained a complete Phase 1 section — only the navigation entries on Home / Sidebar were missing. Wiki broken links: 0 maintained.

    @Juwon1405 Juwon1405 committed May 1, 2026
    8021a07

  • wiki: feature Playbook v3 (industrialization release) on dart-playbook page == dart-playbook.md == - Bundled playbook table updated: v3 (1135 lines) is now default, v2 (845 lines) demoted to 'methodology baseline', v1 kept for demos - Added new section 'senior-analyst-v3 — industrialization release' before the existing v2 section, covering: * Palantir ADS Framework (9-section detection contract) * MaGMa Use Case Framework (L1/L2/L3 + CMMI 5-level maturity) * TaHiTI threat hunt cycle (H1/H2/H3) * Bianco Hunting Maturity Model (HMM 0-4) operationalized - Reference corpus expanded to 39 with hyperlinks to awesome-soc, awesome-incident-response, awesome-threat-detection, ThreatHunter- Playbook, Atomic Red Team, Sigma schema == Roadmap.md == - Added 'Playbook v3 (2026-05-01)' entry to the Done section immediately after the v2 entry, summarizing the 14 new references and four framework additions Wiki broken links: 0 maintained.

    @Juwon1405 Juwon1405 committed May 1, 2026
    39256fe

  • wiki: add 'The Memex Bet' concept page + remove dead Project link == Marketing strengthening (inspired by Karpathy's LLM Wiki gist) == New concept page: 'The Memex Bet' (96 lines) - Frames Agentic-DART within the lineage from Vannevar Bush's 1945 Memex through Karpathy's April 2026 LLM Wiki pattern - Makes the bet explicit: senior-analyst reasoning IS the durable compounding artifact, not the report - Side-by-side mapping of LLM Wiki components to Agentic-DART components — sources / wiki / schema → evidence / playbook / MCP - Reading list for judges: Bush 1945, Karpathy 2026, Bianco, Caltagirone, M-Trends, Lockheed Kill Chain - Linked from Sidebar (top of Concepts) and Home page (top of Concepts) with ⭐ marker — first impression for new visitors == OPSEC / dead links cleanup == Removed dead Project link from _Sidebar.md - https://github.com/users/Juwon1405/projects/4 was never set up (project board abandoned — issues + milestones cover the work) - The link 404'd, hurting professional impression == Why this matters for SANS judging == A judge skimming the wiki for 60 seconds now sees: 1. ⭐ The Memex Bet (the philosophical hook) 2. About the name (what DART means) 3. Architecture-first vs prompt-first (the design claim) 4. Architecture deep dive (the implementation) This trajectory — philosophy → naming → claim → implementation — mirrors how Karpathy's gist is read in 2026. Putting Agentic-DART in that intellectual lineage signals seriousness without arrogance.

    @Juwon1405 Juwon1405 committed May 1, 2026
    1e2b20b

  • wiki(roadmap): add Playbook v2 to Done section + update v1->v2 reference Senior-analyst playbook v2 (845 lines, 10 phases, Mandiant + Bianco + DFIR Report + 8 frameworks) shipped 2026-04-30 but Roadmap Done section still pointed at v1. Updated: - Done entry adds 'Playbook v2 (2026-04-30)' between v0.4 and the rest of the Phase 1 deliverables - Top of Roadmap now reads 'senior-analyst-v2.yaml default; v1.yaml legacy' instead of just v1

    @Juwon1405 Juwon1405 committed May 1, 2026
    55fb354

  • wiki(dart-playbook): rewrite for v2 senior-analyst methodology 228-line update reflecting senior-analyst-v2.yaml as default. Documents: - 10-phase methodology (P0 volatility through P9 finding emission) - 10 case classes (was 3 in v1) - posture block with M-Trends 2026 priors - 25 next_call_decisions, 7 contradiction_triggers, 5 stop_conditions - 25 references grouped by category - 6 senior-analyst principles from operator_notes Cites Mandiant M-Trends 2026, Bianco's Pyramid of Pain & Hunting Maturity Model, Diamond Model, Lockheed Kill Chain, MITRE ATT&CK v16, F3EAD, NIST 800-61/86/150, The DFIR Report case studies, CISA #StopRansomware advisories, and field practitioners (Metcalf, Edwards, Wardle, Pomeranz, Zimmerman, Case, Roth, JPCERT).

    @Juwon1405 Juwon1405 committed May 1, 2026
    b5244b4

  • wiki: dart-playbook page rewritten around v2 (Mandiant + Bianco + DFIR Report) dart-playbook page now reflects senior-analyst-v2.yaml — the comprehensive senior-analyst methodology shipped in repo commit 463afe0. New content: - Methodology lineage table (9 frameworks, all linked) - Field-practice section (8 named senior analysts, attribution links) - Case-study grounding (DFIR Report 2024-2026, CISA, DBIR) - 10-phase sequence table with senior-analyst principles - 10 case classes with M-Trends 2026 prior justification - 7 named contradiction triggers with MITRE pivots - v2 phase anatomy example (P2 Timeline Reconstruction) Home.md and _Sidebar.md tagline updated to mention v2 scope.

    @Juwon1405 Juwon1405 committed May 1, 2026
    20607ee

  • wiki: 3 stragglers — 17→20 in About-the-name / Threat-model / Writing-case-studies

    @Juwon1405 Juwon1405 committed Apr 30, 2026
    a8f5f3e

  • wiki: sync test count 17 → 20 (audit race fix added 3 tests)

    @Juwon1405 Juwon1405 committed Apr 30, 2026
    36edc29

  • wiki: add 12 missing pages, fix all 32 broken links The wiki sidebar and Home page referenced 13 pages that didn't exist, producing the GitHub 'create new page' UI when clicked. Adds: Concepts: Glossary — DFIR / agent / MCP terms The 5 packages: dart-agent — senior-analyst wrapper loop dart-corr — cross-artifact correlation engine dart-audit — SHA-256 chained audit log dart-playbook — YAML sequencing rules (dart-mcp already existed) Reference: Comparison — vs Velociraptor / Plaso / EZ tools / SOAR / vanilla LLMs Running it: Running-on-SIFT — SANS SIFT VM 5-minute setup Running-on-macOS — macOS-specific mount conventions Live-mode — real Claude API + MCP stdio integration Case studies: Case-PtH-Timestomp — Pass-the-Hash + timestomp pre-existence Case-IP-KVM — IP-KVM remote-hands insider scenario Writing-case-studies — guide for contributing new case studies Project: Accuracy — reproducible accuracy methodology + numbers The Roadmap-Phase-2/3/4 links in Home.md were repointed to the existing Roadmap page's anchors (those were never separate pages). The Contributing link in dart-mcp.md now points to CONTRIBUTING.md in the main repo. _Sidebar.md restructured into 6 named sections so the 25-page wiki is navigable. Final broken-link count: 0.

    @Juwon1405 Juwon1405 committed Apr 30, 2026
    b73bb8e

  • wiki(roadmap): record v0.4 Linux+macOS expansion in Done

    @Juwon1405 Juwon1405 committed Apr 30, 2026
    c73c29e

  • wiki: comprehensive sync 31 → 35 across all pages v0.4 raised the function count from 31 to 35. Wiki was tracking old number on multiple pages: About-the-name.md 'existing 31 functions stay' → 35 Architecture-deep-dive.md 'the 31 typed' → 35 Architecture-first-vs-prompt-first.md '31 functions, by name' → 35 FAQ.md 'is the surface really exactly 31?' → 35 Home.md 'the 31 forensic functions' → 35 Operator-guide.md '31' → '35' Roadmap.md '31 typed forensic functions' → 35 Threat-model.md (no 31 references — already clean) dart-mcp.md 'exactly 31 typed' → '35' MCP-function-catalog.md (header was already 35) Roadmap also gets a 'v0.4 (2026-04-30)' entry in the Done list to record the Linux+macOS expansion.

    @Juwon1405 Juwon1405 committed Apr 30, 2026
    2e72430