DFIR + AI Primer: Use LLMs in Your Cloud - Not Theirs AWS, Azure, & GCP have cutting edge models. Use them so Anthropic or OpenAI can't see your data. 3 simple steps: - Enable the feature in your cloud and get an API key - Configure a GenAI client on your system to use the key (I used Goose) - Configure the local MCP servers (Autopsy, Cyber Triage, etc.) That's it. You can analyze your DFIR data and it never leaves your control. It's better performing than a local LLM and similar cost as using the vendor subscriptions. Full steps are in the blog: https://lnkd.in/epaK3k42 The other benefit is that you can easily switch out models. I'm going to experiment more with Gemini. What models are you all using?
John W.
2w
Brian, the data-sovereignty piece is the part that must withstand cross-examination. From a Rule 707 / Daubert posture, the question every AI-assisted forensic analysis must answer is: where did the model run, what was the data exposure during analysis, and can you prove the evidence didn't leave its established chain of custody? Your AWS/Azure/GCP-with-MCP pattern keeps the answer clean. A third-party LLM API call breaks the chain the moment the data egresses. Brett's "forensics first" framing, on top of this, becomes the operational doctrine: use tools that preserve admissibility from the start. The translation work my field has to do for the next decade rides on practitioners taking this exact path.
David Biser
2w
Much of your writing on this is extremely insightful and appreciated! As AI grows we in the cyber security realm need to master it just like we had to master other sources of information! Your topics greatly help push us down that road. Thank you!
Focusing on "forensics first, AI second" makes for a better methodology in that speed can be gained without sacrificing forensic principles.
Here was the blog on setting up using a local LLM: https://www.cybertriage.com/blog/dfir-ai-using-local-llms-with-dfir-mcp-servers/