iris-web icon indicating copy to clipboard operation
iris-web copied to clipboard
verified publisher icon dfir-iris

[FR] Add a evidences chain of custody and connect it to assets, tasks, iocs and events

Open leludo84 opened this issue 3 years ago • 0 comments

The actual evidences management is too basic for forensic investigations. We need a chain of custody that responds to:

  • Who (user)
  • What (task)
  • How (task)
  • When (task)
  • On what (assets, evidences)
  • What Result (evidences, file)

Moreover, Events, Tasks and IOCs need to be connected to this chain. During investigation, we have to see the source and origin of the event (with link and tree ?).

A very simple chain of custody might look like this:

simple chain of custody drawio

Optionally, in the far futur, it would be nice to have a screenshot (logical operations) or a photograph (physical operations) attached to a task.

leludo84 avatar Jul 05 '22 12:07 leludo84