Project Memento Mori: The AI Digital Forensics Analyst

Inspired by the fragmented memory of 'Memento', the logical reasoning of 'I, Robot', and the data-scraping core of an 'Image Metadata' project, 'Project Memento Mori' is a cybersecurity tool designed for digital forensics and incident response (DFIR). It acts as an AI-powered analyst that helps individuals, freelancers, and small businesses piece together the 'story' of a cyber attack from a chaotic collection of digital evidence.

The Story & Concept:

Imagine a system has been breached. The security analyst is like Leonard Shelby from 'Memento'—they have a form of digital amnesia. They are faced with a jumble of clues: system logs, modified files, network captures, and memory dumps. They must reconstruct a timeline of what happened, but the evidence can be incomplete, misleading, or deliberately altered by the attacker. They need a system to organize these 'notes' and 'photos' into a coherent narrative and to trust that the information is reliable.

This is where Memento Mori comes in. It doesn't just present data; it interprets it. Drawing inspiration from Asimov's 'I, Robot', the AI operates on a set of core logical principles, a 'Three Laws of Digital Forensics.' It looks for violations of these logical rules and subtle deviations from normal behavior—the 'ghost in the machine'—that a human analyst might miss. Its goal is to create an objective, reliable 'memory' of the incident.

How It Works:

1. Data Ingestion & Scraping: The user provides the tool with a disk image or a folder containing all relevant files from the compromised system (logs, documents, executables, etc.). The core of the tool is a powerful 'metadata scraper' that goes far beyond images, extracting every possible timestamp (Modified, Accessed, Created, Changed), user account information, software versions, GPS coordinates, and other embedded data from hundreds of file types.

2. Timeline Reconstruction ('Memento' Stage): The system parses all this disparate data, normalizes the timestamps, and plots every single event onto a single, interactive timeline. This is the user's 'wall of photos and notes.' They can filter by event type (e.g., 'file creation', 'login attempt', 'network connection'), user, or file name to see how events unfolded chronologically. It highlights 'gaps' in the memory—periods with no log data where there should be some—which could indicate log tampering.

3. AI-Driven Anomaly Detection ('I, Robot' Stage): This is the core intelligence. The AI analyzes the complete timeline based on a set of logical rules and behavioral analysis:
- Logical Violation Checks: The AI enforces rules like: 'A file's creation date cannot precede the operating system's installation date.' or 'A standard user account cannot perform an action that requires administrator privileges without a corresponding privilege escalation event log.' Any violation is flagged as a high-priority anomaly, similar to a robot violating a fundamental Law.
- Behavioral Analysis: The AI establishes a baseline for 'normal' activity. It then flags unusual events, such as a process that typically never accesses the network suddenly making an outbound connection, or files being modified at 3 AM when the user is never active at that time. It looks for the subtle signs of a system that is no longer behaving as it should.
- Event Correlation: The AI links seemingly unrelated events to build a potential attack chain. It might connect a suspicious PowerShell command to the subsequent creation of a new scheduled task and the modification of a system file, presenting it as a single, coherent event.

4. Narrative Generation & Reporting: The final output is not just a list of data points. Memento Mori generates a human-readable report that tells the story of the attack. It presents a summary like: 'At 22:04, an anomalous login was detected from IP address X. Three minutes later, this account executed a script that violated logical principle 2 by modifying a critical system file. We assess with 85% confidence that this marks the initial point of compromise.' This narrative provides the analyst with a clear starting point for their manual investigation, saving countless hours of work.