// per-tool methodology
memory beacon pattern detector
drop memory dump or volatility strings · cobalt strike beacon strings and config markers · meterpreter empire heuristics · sleep jitter c2 extraction · runs locally
public grade
B
solid triageraw 10/14 · raw 9–11 / 14
Bwhat this grade means
real parsing or rule engine · at least one structured export · honest about boundaries
capability class · binary / media inspection
byte-level inspection of image/audio/video/document containers and metadata
max grade for this class: A
- carving and header inspection can false-positive on random byte alignment
- metadata can be stripped or rewritten — absence of a field is not proof of absence of activity
known limitations
- meets the public B minimum ship bar: raw ≥ 9/14, UI dimension = 2, IF/OU/DQ/RB/HN ≥ 1 each, no critical red flags
- expect rough edges on uncommon schema variants, oversized inputs, or partially corrupted artifacts
- treat flags as leads — corroborate with primary sources before drawing conclusions
- outputs require independent verification before any legal, financial, medical, safety, or evidentiary use
B minimum ship bar
- newly added forensics tools must clear the public B minimum before merging
- minimum: letter grade B or A · raw score ≥ 9/14 · UI dimension = 2 · IF/OU/DQ/RB/HN ≥ 1 each · no critical red flags (missing engine, placeholder logic, no exports)
- the ship bar is enforced by quality.audit.json sidecars and npm run tools:grade-forensics --check