Knogin
[Developers]

Digital Forensics Workbench

An IR team responding to a supply-chain compromise needs to move quickly across several different investigative activities in the same working session: collecting artefacts from affected endpoints, detonating suspicious

Back to All Modules
Category: ForensicsLast Updated: Mar 24, 2026
forensics

Overview#

An IR team responding to a supply-chain compromise needs to move quickly across several different investigative activities in the same working session: collecting artefacts from affected endpoints, detonating suspicious payloads in a sandbox, inspecting firmware images from compromised embedded devices, and packaging findings for legal review. Switching between unrelated dashboards breaks concentration and introduces coordination errors. The Digital Forensics Workbench assembles all of that tooling into a single operational preset tuned specifically for DFIR workflows.

The workbench is designed for teams who need to go from live response and endpoint collection directly into artefact review, malware detonation, firmware inspection, and evidence packaging, without context-switching out of their investigation environment.

Open Standards#

  • OASIS STIX 2.1 / TAXII 2.1: Threat intelligence indicators and bundles ingested from TAXII feeds are stored and surfaced within the workbench, linking external threat context directly to forensic artefacts and investigation cases.
  • W3C Verifiable Credentials Data Model v2.0: Chain-of-custody records for evidence items are issued as signed Verifiable Credentials (Ed25519, VC DM v2.0), providing tamper-evident provenance that travels with artefacts through examination and legal disclosure.
  • RFC 3161 (Internet X.509 PKI Time-Stamp Protocol): Trusted third-party timestamps are embedded in evidence exports, anchoring the moment of collection or export to a verifiable time source acceptable in legal proceedings.
  • ISO 19005 (PDF/A): Evidence packages can be exported in PDF/A-1B, PDF/A-2B, PDF/A-3B, or PDF/A-4F variants to meet court and disclosure requirements for long-term archival documents.
  • FIPS 180-4 / FIPS 202 (SHA-2 and SHA-3 hash algorithms): Artefact integrity is verified using SHA-256 and SHA-512 (FIPS 180-4) and SHA3-256 (FIPS 202) digests computed at ingest and re-verified at each custody transfer.
  • ISO 8601 (Date and Time Format): All timestamps across artefact records, custody events, and hunt results are normalised to ISO 8601 strings, ensuring consistent chronological ordering and interoperability with downstream case management systems.
  • GraphQL (June 2018 specification): All evidence management, chain-of-custody, and forensic-tool integration operations are exposed through a GraphQL API, enabling typed, introspectable queries and mutations from the workbench frontend.

Last Reviewed: 2026-03-24 Last Updated: 2026-04-14

Key Features#

  • Live Collection and Hunt Coordination: Supports endpoint and artefact collection workflows alongside hunt-management operations for active cases, keeping collection and analysis in the same operational surface
  • Case-Ready Forensics Review: Surfaces analysis environments for inspecting, validating, and organising digital artefacts for downstream review or legal disclosure
  • Malware and Sample Triage: Malware database and sandbox workflows for understanding payload behaviour and linking samples to investigation cases
  • Firmware Analysis Support: Firmware inspection capability in the same workspace as endpoint and malware review, covering incidents that span embedded systems
  • Forensics-Focused Presets: Evidence and DFIR tooling kept together in a single operational surface, separate from broader cyber monitoring views that would create noise during active response

Use Cases#

  • Endpoint Incident Triage: Responders collect artefacts from affected systems, launch hunts, and review results without leaving the workbench during active incidents
  • Digital Evidence Examination: Examiners organise and analyse host, file-system, and malware artefacts for investigative or legal review, maintaining chain-of-custody linkage throughout
  • Firmware and Embedded Analysis: Teams inspect suspicious firmware packages alongside endpoint and malware findings when incidents span embedded systems or compromised hardware
  • Malware-Driven Investigation Support: Analysts detonate samples, compare outputs, and connect malware findings back to incidents and evidence workflows within one continuous session

Integration#

  • DFIR-ORC, GRR, Autopsy, CAPE Sandbox, FKIE FACT, and MWDB-style tooling
  • Evidence management and review workflows
  • Cyber-response and case management systems
  • Shared cyber and review workbenches for cross-team collaboration

Ready to Build?

Get started with our APIs or contact our integration team for support.