AI Forensic Analysis Guide
AI Forensic Analysis Guide#
This guide covers how to use unJaena AI's core feature -- AI forensic analysis -- to quickly and accurately analyze collected evidence. Through natural language queries, you can discover meaningful evidence from tens of thousands of artifacts and build a complete picture of an incident.
What is AI Forensic Analysis?#
AI forensic analysis automatically examines collected digital evidence (registry, Prefetch, EventLog, browser history, USB records, etc.) to identify key evidence, perform chronological reconstruction, threat classification, and correlation analysis.
Key Features#
- Natural language queries: Ask questions in everyday language without specialized query syntax
- Semantic search: Automatically find related evidence based on meaning, not just keywords
- MITRE ATT&CK mapping: Automatically classify detected threats by kill-chain phases
- Evidence citations: Every analysis result includes specific evidence source references
- Multi-language support: Analyze in Korean, English, Japanese, and Chinese
Starting an Analysis#
Step 1: Select a Case#
- Select the case you want to analyze from the dashboard.
- Confirm the case status shows Ready for Analysis.
- Data upload and indexing must be complete before AI analysis is available.
- Click the AI Analysis tab to navigate to the analysis page.
Step 2: Choose an Analysis Method#
unJaena AI provides three analysis methods. Choose the appropriate method based on your objectives.
Three Analysis Methods#
AI Analysis#
The most powerful analysis method. Through natural language queries, the AI searches evidence and generates comprehensive analysis reports.
Best for:
- Investigating specific suspicious activities
- Getting an overall overview of an incident
- Analyzing correlations between multiple artifact types
- Performing kill-chain analysis
How to use:
- Enter your question in the AI Analysis tab.
- The AI searches for and analyzes relevant evidence.
- Analysis results stream in real time.
- Ask follow-up questions for deeper analysis.
Manual Review#
Directly browse and review collected artifacts.
Best for:
- When you want to examine specific artifacts firsthand
- Manually reviewing data from a specific time period
- Verifying original evidence behind AI analysis results
How to use:
- Navigate to the Manual Review tab.
- Filter by artifact type (Registry, Prefetch, EventLog, etc.).
- Set a time range to view data for a specific period.
- Review individual artifact details.
Timeline Profiler#
Visualize the entire system activity chronologically to detect anomalies.
Best for:
- Understanding the temporal flow of an incident
- Detecting activity during abnormal hours (nighttime, weekends)
- Analyzing temporal relationships between multiple events
How to use:
- Navigate to the Timeline Profiler tab.
- Set the analysis period.
- Review activity patterns on the visualized timeline.
- Click on sections where anomalous activity is detected for detailed information.
Using Natural Language Queries#
The core of AI analysis is natural language queries. You can ask questions in everyday language without knowing specialized terminology.
Query Examples#
Basic queries:
- "Were there any suspicious activities on this system?"
- "Show me USB device connection records"
- "List all programs executed in the past 7 days"
Specific investigation queries:
- "Were any files copied to external storage after 2:00 PM on March 15, 2026?"
- "Was PowerShell executed at abnormal times?"
- "Find traces of deleted files"
Threat analysis queries:
- "Perform a kill-chain analysis of this system"
- "Find evidence suggesting possible malware infection"
- "Are there traces of communication with C2 servers?"
- "Analyze evidence related to insider threats"
Cross-analysis queries:
- "Analyze whether any files were downloaded after USB connection"
- "Show suspicious activities that occurred after a new account was created"
- "List files accessed after remote connection, in chronological order"
Using Follow-Up Questions#
The AI maintains previous conversation context. Leverage follow-up questions based on initial analysis results.
First question: "Show me USB connection records"
-> AI: Found 3 USB connection events (3/15 14:32, 3/16 09:15, 3/18 22:47)
Follow-up: "Analyze file activity within 30 minutes before and after the March 15 USB connection"
-> AI: 5 document files were accessed immediately after USB connection, 3 of which were copied to USB
Follow-up: "Show detailed information about the 3 copied files and related user activity"
-> AI: Provides detailed analysis results
Understanding the AI Analysis Report#
AI analysis results are provided in the following structure.
Findings Summary#
Key findings identified in the analysis are organized by priority. Each finding includes related evidence and its significance.
Evidence Citations#
All analysis results include evidence citations in the format [Evidence #N]. This allows you to verify which actual evidence supports each AI claim.
Example:
A USB device (SanDisk Extreme, S/N: 4C530001) was connected at
2026-03-15 14:32:18 [Evidence #1]. Immediately after connection,
access to 'ProjectX_Final.docx' was detected at 14:35:42
[Evidence #2]. This file was copied to the external drive at
14:37:05 [Evidence #3].
Clicking each [Evidence #N] lets you view the original artifact data. This enables you to:
- Directly verify the accuracy of AI analysis.
- Review the full content of the original artifact.
- Identify evidence requiring further investigation.
Timeline#
Discovered events are reconstructed chronologically so you can understand the flow of the incident. Activity during anomalous hours (nighttime, weekends) is highlighted separately.
Confidence Indicators#
AI analysis results include confidence levels for each determination:
| Confidence | Meaning | Recommended Action |
|---|---|---|
| Confirmed | Clearly supported by artifact evidence | Include in report |
| Highly Likely | Supported by multiple indirect evidence | Additional confirmation recommended |
| Requires Further Investigation | Only partial evidence confirmed | Conduct in-depth investigation |
MITRE ATT&CK Kill-Chain Mapping#
AI analysis automatically maps detected threat activities to the MITRE ATT&CK framework. MITRE ATT&CK is an internationally standardized framework that systematically classifies cyber attack tactics and techniques.
Kill-Chain Phases#
Major attack phases identified in the analysis:
| Phase | Description | Detection Examples |
|---|---|---|
| Initial Access | Initial entry point | Phishing emails, malicious downloads |
| Execution | Malicious code execution | Suspicious process execution records |
| Persistence | Maintaining foothold | Registry autorun key registration |
| Privilege Escalation | Elevating permissions | Administrator account acquisition attempts |
| Defense Evasion | Avoiding detection | Log deletion, timestamp manipulation |
| Credential Access | Accessing credentials | Browser saved data access |
| Discovery | Information gathering | System information collection commands |
| Lateral Movement | Spreading internally | Remote desktop connection records |
| Collection | Data gathering | Mass access to specific folders |
| Command & Control | C2 communication | Suspicious external connections |
| Exfiltration | Data theft | Mass USB/cloud copy activity |
| Impact | Damage | File encryption, system modification |
Using Kill-Chain Analysis#
Kill-chain mapping results allow you to:
- Identify the current stage of an attack.
- Predict stages not yet executed for proactive response.
- Connect evidence across stages to build the complete attack picture.
Multi-Language Analysis#
unJaena AI supports 4 languages. AI responses are provided in the analysis language set during case creation.
Supported Languages#
| Language | Queries | AI Responses | Artifact Search |
|---|---|---|---|
| Korean | Yes | Yes | Yes |
| English | Yes | Yes | Yes |
| Japanese | Yes | Yes | Yes |
| Chinese | Yes | Yes | Yes |
Cross-Language Search#
Regardless of the query language, the AI searches artifacts across all languages. For example:
- Asking "Find malware traces" in English will search both English event logs and Korean user activity for relevant evidence.
- Asking in Japanese applies the same search scope.
Tips for Effective Queries#
Be Specific#
Not recommended: "Is there anything weird?"
Recommended: "Show me suspicious activities that occurred during nighttime (10 PM - 6 AM) in the past 7 days"
Specify Time Ranges#
Specifying a time period yields more precise results.
"Analyze USB activity from March 15 to March 20, 2026"
"Find suspicious processes executed in the past 48 hours"
Specify Artifact Types#
Targeting specific analysis subjects enables more focused analysis.
"Show me failed login attempts from EventLog"
"Find programs executed at abnormal times from Prefetch"
"Check items registered for autorun in the Registry"
Request Cross-Analysis#
Analyzing relationships between multiple artifact types provides deeper insights.
"Cross-analyze USB connection timing with file download records"
"Show network activity around the time a new service was installed"
Drill Down Progressively#
Start with a broad scope and gradually narrow down.
Step 1: "Evaluate the overall security posture of this system"
Step 2: "Analyze the suspicious Prefetch files discovered in more detail"
Step 3: "Are there any network connection records related to that executable?"
Frequently Asked Questions (FAQ)#
Q: Can AI analysis results be used as legal evidence?#
AI analysis results are an assistive tool for setting investigation direction and identifying key evidence. For use as legal evidence, verification and confirmation by a professional forensic analyst is required. You can directly verify the original artifacts through the evidence citations ([Evidence #N]) provided by the AI.
Q: Can the AI produce incorrect analysis?#
The AI analyzes based solely on actual collected evidence, but interpretation accuracy is not 100%. To address this:
- Evidence citations are included for every claim.
- Confidence indicators are provided (Confirmed / Highly Likely / Requires Further Investigation).
- Users can directly verify original evidence.
Q: How long does analysis take?#
It depends on query complexity, but generally:
- Simple queries: 30 seconds to 1 minute
- Complex analysis: 1 to 2 minutes
- Full kill-chain analysis: 2 to 3 minutes
Results stream in real time, so you can review partial results before the full analysis is complete.
Q: Can I review previous analysis results?#
Yes, all analysis conversations are saved per case. You can review questions and results from previous analysis sessions at any time.
Q: How is data security ensured?#
- All data is stored in per-user isolation.
- AES-256-GCM encryption is applied during transit and at rest.
- Data is automatically deleted when the retention period for your plan expires.
- You cannot access other users' cases.
Q: Can I analyze only specific artifact types?#
Yes, specifying a particular artifact type in your query focuses the analysis on that type. You can also filter by artifact type in the Manual Review tab for direct examination.
Q: Can I export analysis results?#
You can export analysis results as PDF or share them with team members. Exported reports include AI analysis results, evidence citations, and timelines.
Next Steps#
- Collector Guide: Detailed collection methods for each platform
- Malware Lab Guide: Malware analysis using YARA/CAPA/Ghidra