4.7 KiB
Forensic Investigation Report
Instructions: Fill in all sections. Every factual claim must cite at least one
[EV-XXXX]evidence ID. Remove placeholder text and instruction notes before finalizing. Redact all secrets to[REDACTED].
Executive Summary
Target Repository: OWNER/REPO
Investigation Period: YYYY-MM-DD to YYYY-MM-DD
Verdict:
Confidence Level:
Report Date: YYYY-MM-DD
Investigator:
Timeline of Events
All timestamps in UTC. Each event must cite at least one evidence ID.
| Timestamp (UTC) | Event | Evidence IDs | Source |
|---|---|---|---|
| YYYY-MM-DDTHH:MM:SSZ | Describe event | [EV-XXXX] | git / gh_api / gh_archive / web_archive |
Validated Hypotheses
Hypothesis 1:
Status:
Claim: Full statement of the hypothesis.
Supporting Evidence:
- [EV-XXXX]: What this evidence shows
- [EV-YYYY]: What this evidence shows
Counter-Evidence Considered: What might disprove this, and why it was ruled out or not.
Confidence:
Indicators of Compromise (IOC List)
| Type | Value | Status | Evidence |
|---|---|---|---|
| COMMIT_SHA | abc123... |
Confirmed malicious | [EV-XXXX] |
| ACTOR_USERNAME | handle |
Suspected compromised | [EV-YYYY] |
| FILE_PATH | src/evil.js |
Confirmed malicious | [EV-ZZZZ] |
| DOMAIN | evil-cdn.io |
Confirmed C2 | [EV-WWWW] |
Affected Versions
| Version / Tag | Published | Contains Malicious Code | Evidence |
|---|---|---|---|
v1.2.3 |
YYYY-MM-DD | Yes / No / Unknown | [EV-XXXX] |
Evidence Registry
Generated by:
python3 SKILL_DIR/scripts/evidence-store.py --store evidence.json export
| ID | Type | Source | Actor | Verification | Event Timestamp | URL |
|---|---|---|---|---|---|---|
| EV-0001 |
Chain of Custody
Generated by:
python3 SKILL_DIR/scripts/evidence-store.py --store evidence.json export
| Evidence ID | Action | Timestamp | Source |
|---|---|---|---|
| EV-0001 | add |
Technical Findings
Git History Analysis
Summarize findings from local git analysis: dangling commits, reflog anomalies, unsigned commits, binary additions, etc.
GitHub API Analysis
Summarize findings from GitHub REST API: deleted PRs/issues, contributor changes, release anomalies, etc.
GitHub Archive Analysis
Summarize findings from BigQuery: force-push events, delete events, workflow anomalies, member changes, etc. Note: If BigQuery was unavailable, state this explicitly.
Wayback Machine Analysis
Summarize findings from archive.org: recovered deleted pages, historical content differences, etc.
IOC Enrichment
Summarize enrichment results: WHOIS data for domains, recovered commit content, actor account analysis, etc.
Recommendations
Immediate Actions (If Compromise Confirmed)
- Rotate all GitHub tokens, API keys, and credentials that may have been exposed
- Pin dependency versions to hashes in all affected packages
- Publish a security advisory / CVE if applicable
- Notify downstream users/package registries (npm, PyPI, etc.)
- Revoke access for the compromised account and re-secure with hardware 2FA
- Audit all CI/CD workflow files for unauthorized modifications
- Review all releases published during the compromise window
Monitoring Recommendations
- Enable branch protection on
main/master(require code review, disallow force-push) - Enable required commit signing (GPG/SSH)
- Set up GitHub audit log streaming for future monitoring
- Pin critical dependencies to known-good SHAs in lock files
Limitations and Caveats
- List any data sources that were unavailable (e.g., no BigQuery access)
- Note any evidence that is single-source only (not independently verified)
- Note any hypotheses that could not be confirmed or denied
References
- Evidence store:
evidence.json(SHA-256 integrity: runpython3 SKILL_DIR/scripts/evidence-store.py --store evidence.json verify) - Related issues:
- RAPTOR framework: https://github.com/gadievron/raptor