// evidence type
mcp audit log / client invocation trace
mcp server audit ndjson · client json-rpc invocation log · claude desktop tool-call export. reconstruct tool graphs, attribute agent actions, detect permission escalation and prompt injection via tool results.
start here · primary tools
ordered. work top-down. the first tool is the suggested entry point for this evidence type.
- mcp model context protocol server audit log forensic analyzerdrop mcp server audit log · parse tool calls + resource accesses + auth · runs locally
- mcp client invocation log forensic analyzerdrop mcp client invocation log · parse server calls + arguments + responses · runs locally
- mcp tool call graph reconstructordrop mcp client + server log set · reconstruct tool-call dependency graph · runs locally
- anthropic mcp claude tool call attribution tooldrop claude tool call log · attribute each tool call to model decision · runs locally
also useful · secondary tools
supporting and follow-up tools. surface as the investigation widens.
- mcp server permission escalation detectordrop mcp server audit log · detect over-permissioned tool exposure · runs locally
- mcp prompt injection via tool result detectordrop mcp server tool result log · detect injection payloads in tool responses · runs locally
- ai agent tool call execution trace reconstructordrop agent run log · reconstruct tool-call sequence + state mutations · runs locally
- llm prompt injection attempt log forensic analyzerdrop llm api/chat injection log export · parse user turn + matched pattern + model response · runs locally
- case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally