Skip to content

P1 (signal): Evidence is a pointer into transient state, not preserved evidence #197

Description

@sankpal-shreyas

The problem

`evidence_pointer` in `Finding` is shaped:

```json
{ "tool": "inspect_persistence_locations", "turn": 2, "field": "observation.actionable_suspicious_count" }
```

That is a pointer into the agent's run-time state, not preserved evidence. By the time an analyst reads the report, the original tool output may not be retained (depends on `--evidence-bundle-dir` flag). Even when it is, no hash, signature, or chain-of-custody metadata exists. This is unusable for any forensic process that needs to be defensible.

What good looks like

```json
{
"evidence": {
"hash_sha256": "643a6da2...887389",
"captured_at": "2026-04-26T10:30:00Z",
"original_path": "C:\Windows\System32\notepad.exe",
"copy_path": "./evidence/2026-04-26-run-abc/notepad.exe",
"tool_invocation": { "tool": "hash_binary", "args": {"path": "C:\Windows\System32\notepad.exe"} },
"raw_observation": { "sha256": "643a6da2...", "path": "C:\Windows\..." },
"signature": "ed25519:..."
}
}
```

For registry/event-log/network observations, the "copy" is a snapshot of the queried subtree at run time, signed with a per-host key (generated on first run, persisted in OS keystore).

Acceptance

  • Every finding carries hash + timestamp of preserved observation.
  • Evidence bundle tarball is signed and verifiable offline (`wraithrun verify-evidence `).
  • Documentation references chain-of-custody requirements (DFIR practitioner audience).

Metadata

Metadata

Assignees

No one assigned

    Labels

    area:agentAgent loop, investigation planning, and LLM orchestrationenhancementNew feature or requestpriority:p1High-priority issue for current milestonesecuritySecurity-related hardening or fixessignal-qualityFindings/signal-quality (vs infrastructure/build)

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions