Files
2026-06-14 14:30:48 -04:00

4.7 KiB

Forensic Investigation Report

Instructions: Fill in all sections. Every factual claim must cite at least one [EV-XXXX] evidence ID. Remove placeholder text and instruction notes before finalizing. Redact all secrets to [REDACTED].


Executive Summary

Target Repository: OWNER/REPO Investigation Period: YYYY-MM-DD to YYYY-MM-DD Verdict: Confidence Level: Report Date: YYYY-MM-DD Investigator:


Timeline of Events

All timestamps in UTC. Each event must cite at least one evidence ID.

Timestamp (UTC) Event Evidence IDs Source
YYYY-MM-DDTHH:MM:SSZ Describe event [EV-XXXX] git / gh_api / gh_archive / web_archive

Validated Hypotheses

Hypothesis 1:

Status:

Claim: Full statement of the hypothesis.

Supporting Evidence:

  • [EV-XXXX]: What this evidence shows
  • [EV-YYYY]: What this evidence shows

Counter-Evidence Considered: What might disprove this, and why it was ruled out or not.

Confidence:


Indicators of Compromise (IOC List)

Type Value Status Evidence
COMMIT_SHA abc123... Confirmed malicious [EV-XXXX]
ACTOR_USERNAME handle Suspected compromised [EV-YYYY]
FILE_PATH src/evil.js Confirmed malicious [EV-ZZZZ]
DOMAIN evil-cdn.io Confirmed C2 [EV-WWWW]

Affected Versions

Version / Tag Published Contains Malicious Code Evidence
v1.2.3 YYYY-MM-DD Yes / No / Unknown [EV-XXXX]

Evidence Registry

Generated by: python3 SKILL_DIR/scripts/evidence-store.py --store evidence.json export

ID Type Source Actor Verification Event Timestamp URL
EV-0001

Chain of Custody

Generated by: python3 SKILL_DIR/scripts/evidence-store.py --store evidence.json export

Evidence ID Action Timestamp Source
EV-0001 add

Technical Findings

Git History Analysis

Summarize findings from local git analysis: dangling commits, reflog anomalies, unsigned commits, binary additions, etc.

GitHub API Analysis

Summarize findings from GitHub REST API: deleted PRs/issues, contributor changes, release anomalies, etc.

GitHub Archive Analysis

Summarize findings from BigQuery: force-push events, delete events, workflow anomalies, member changes, etc. Note: If BigQuery was unavailable, state this explicitly.

Wayback Machine Analysis

Summarize findings from archive.org: recovered deleted pages, historical content differences, etc.

IOC Enrichment

Summarize enrichment results: WHOIS data for domains, recovered commit content, actor account analysis, etc.


Recommendations

Immediate Actions (If Compromise Confirmed)

  • Rotate all GitHub tokens, API keys, and credentials that may have been exposed
  • Pin dependency versions to hashes in all affected packages
  • Publish a security advisory / CVE if applicable
  • Notify downstream users/package registries (npm, PyPI, etc.)
  • Revoke access for the compromised account and re-secure with hardware 2FA
  • Audit all CI/CD workflow files for unauthorized modifications
  • Review all releases published during the compromise window

Monitoring Recommendations

  • Enable branch protection on main/master (require code review, disallow force-push)
  • Enable required commit signing (GPG/SSH)
  • Set up GitHub audit log streaming for future monitoring
  • Pin critical dependencies to known-good SHAs in lock files

Limitations and Caveats

  • List any data sources that were unavailable (e.g., no BigQuery access)
  • Note any evidence that is single-source only (not independently verified)
  • Note any hypotheses that could not be confirmed or denied

References

  • Evidence store: evidence.json (SHA-256 integrity: run python3 SKILL_DIR/scripts/evidence-store.py --store evidence.json verify)
  • Related issues:
  • RAPTOR framework: https://github.com/gadievron/raptor