Using ChatGPT in Digital Investigations: Lessons from SpaceY

A New Role for AI in Forensics

In January 2019, I identified an anomaly inside a DEF CON 26 PCAP file, which led to months of in-depth analysis. What began as an investigation into stray HTTP traffic to obscure domains, such as 0hdaysec[.]cf, evolved into a deeper examination of the connection between leaked data and hidden personas.

One powerful tool in my 2025 workflow was not a traditional forensics suite, but rather ChatGPT. I initially had no preconceived ideas about how it could assist me, especially since direct PCAP analysis using the platform is not feasible. However, I found ChatGPT to be an effective copilot and helper.

When I used ChatGPT strategically, it supported my analysis by summarizing data from PCAP files, correlating timestamps, and suggesting pivots that would otherwise require a significant amount of manual effort. For example, I provided it with decoded Basic Auth strings (although it could have easily decoded these on its own; I did it out of habit), as well as WHOIS data, and ChatGPT generated structured relationships linking IP addresses, usernames, and time windows. I had ChatGPT do additional analysis by uploading manually exported CSV files from PCAPs that I loaded into Network Miner Pro 3.0 and Wireshark. I also utilized ChatGPT for further analysis by uploading manually exported CSV files from PCAPs that I had processed in Network Miner Pro 3.0 and Wireshark.

In 2025, using ChatGPT transformed my approach to investigations, significantly boosting my efficiency and insight. However, an important caveat is that it is only one tool in my toolbox. I still need to review any information it generates, decide on next steps, and adjust my approach accordingly.

How to Use ChatGPT Like a DFIR Analyst

There are several options for utilizing ChatGPT or any large language model (LLM) for this type of work. I chose the most basic option, which involved running my local tools and manually exporting information to paste or upload to ChatGPT for analysis. However, you could also build and develop a system that automates the extraction and workflows.

Think of ChatGPT as an analytical partner that excels with structured data. In practice, this means collecting and preprocessing evidence using tools such as NetworkMiner or Wireshark and then exporting the results into text or CSV format. From there, ChatGPT can review the data, identify patterns, and even generate timelines.

The key is to ask focused, hypothesis-driven questions: “What relationships exist between these IPs and hostnames?” or “Can you summarize these events in chronological order?” Each round of questioning tightens the scope of analysis. In some cases, this can lead to alternate lines of inquiry and reporting.

In the PCAP analyses, the loop of querying ChatGPT and manually reviewing PCAP files condensed multi-day reviews of network traffic into concise hypotheses ready for formal reporting. Every update still required human validation, but ChatGPT made it easier to reach the point where the real investigation could begin.

What Works and What Doesn’t

The advantages of using tools like ChatGPT are clear. ChatGPT accelerates data summarization, helps craft clear narratives for both technical and executive audiences, and strengthens the correlation between entities and events. It’s particularly good at recognizing patterns across thousands of lines of logs or text, as long as the investigator knows how to form their questions.

But there are limits. It can’t access live data or hidden services, and it occasionally draws false connections when context is thin. Its outputs have zero evidentiary value without human verification. And like any AI system, it’s only as effective as the investigator guiding it. It was my judgment, experience, and intuition that provided the investigation with its depth and nuance.

Where Agentic AI Fits

The next phase of my investigations would be to consider using agentic AI or self-directed assistants to monitor sources, parse artifacts, and feed enriched intelligence back into a reasoning model. The use of agentic AI in investigation is a leap into a future where our tools are not only powerful but also proactive.

What If an Agentic AI Ran the SpaceY Workflow?

Imagine reliving the SpaceY investigation without being overwhelmed with gigabytes of PCAP files. An agentic AI becomes my digital counterpart.

A monitor agent keeps watch on threat intelligence feeds, Wayback Machine snapshots, and GitHub commits for mentions of indicators, such as dump files. When it detects new data, such as a changed DNS record, a re-uploaded archive, or a new credential pattern, the collector agent can pull the raw material: WHOIS, passive DNS, or archived HTML. A parser agent then structures the evidence, tagging timestamps, IPs, and relationships. Finally, a reasoning agent (the LLM layer) summarizes what changed, updates a Relationship Graph in Neo4j or Obsidian, and alerts you:

“New DNS entry detected for 0hdaysec[.]cf on 2025–11–04. Related to the prior 2018 infrastructure. Possible reuse pattern.”

Then, I can review, verify, and decide whether to expand the scope. These agents don’t replace human judgment, but they do eliminate manual and repetitive tasks.

Building a Minimal Agentic AI Workflow (Free or Open-Source Stack)

An enterprise budget is not required to experiment with agentic AI for investigations. A capable agentic AI can be built from free or open-source tools. Here’s what that might look like:

1. Automation Framework: LangChain or CrewAI

2. Local LLM Reasoner: Ollama with Llama 3 or Phi-3-Mini

3. Data Collection: wget, curl, or waybackpy

4. Parsing and Enrichment: Python with pandas and regex

5. Visualization: Neo4j, Obsidian Graph View, or Gephi

6. Orchestration and Alerts: n8n, Huginn, or Apache Airflow

Example Agentic Workflow in Practice

If I were to rebuild the SpaceY investigation from scratch, but this time add an autonomous AI stack to do the repetitive work for me, there are several steps I can take.

Step 1: Collect evidence automatically

A script running waybackpy checks the Wayback Machine every 24 hours for new captures of domains, such as 0hdaysec[.]cf. When it finds something new, it saves the URL and timestamp to inputs/new_discoveries.json.

Step 2: Parse and structure data

Another lightweight script utilizes pandas to normalize the JSON into a clean table of URLs, IP addresses, dates, and keywords. It runs regular expression (regex) filters to extract references, such as encoded credentials.

Step 3: Trigger the reasoning agent

An automation tool like n8n or Huginn monitors the /inputs folder and triggers my local Ollama instance to run a reasoning model (Llama 3 or Phi-3-Mini) that summarizes what changed and possible meanings.

Step 4: Build a visual graph

Add each summary to Neo4j or Obsidian, linking domains, IPs, and personas into a living map of SpaceY’s digital footprint.

Step 5: Get notified when it matters

n8n or Huginn sends alerts whenever new correlated data appears. I can then verify, interpret, and decide next steps.

This workflow can run on a laptop or VM. It’s the start of what agentic DFIR will look like: human-led investigators and machine-accelerated.

Summary

The SpaceY investigation illustrated how small traces, when carefully assembled, revealed a larger narrative filled with intent, capability, and timing. In 2018, this process was entirely manual, requiring packet captures, timestamps, Slack communications, and WHOIS data to be pieced together to form a coherent picture.

If I had today’s AI capabilities during that time, much of my manual effort could have been streamlined and automated, enhancing the efficiency of my investigative work. Tools like ChatGPT demonstrated that even a general-purpose model can function as a tactical co-analyst or copilot, transforming unstructured data into organized and meaningful insights. The evolution of agentic AI takes this a step further by providing autonomy and the ability to monitor, adapt, and surface leads.

At its core, investigation is a human discipline that thrives on curiosity, intuition, and a healthy dose of skepticism, qualities that no algorithm can replicate. While AI may provide some valuable insights, it is ultimately the investigator who chooses where to take the investigation.

© 2025 T3mp3st

Follow for more on AI-assisted forensics, DFIR tradecraft, and cybersecurity investigations.