Skip to content
Agent Archaeology

Learn

Evidence Basics

Good evidence handling starts before deep analysis. Preserve original records, minimize sensitive content, and document every transformation. Agent sessions can contain API keys, environment variables, customer data, and internal code.

Preserve first

  • Copy logs and session stores safely
  • Record file paths and timestamps
  • Hash important artifacts
  • Avoid opening tools that may mutate session state

Handle secrets carefully

Redact reports by default. Avoid sharing raw transcripts unnecessarily. Agent telemetry should minimize raw content while retaining enough evidence to investigate.

Privacy posture

  • Avoid full raw transcripts in SIEM events
  • Prefer redacted excerpts
  • Hash raw values when correlation is needed
  • Use synthetic fixtures for demos and tests

Chain of custody

Track who collected evidence, when it was collected, where it came from, what changed during processing, and where the original is stored.

What conversations may omit

Conversations show prompts and responses but rarely capture the whole event. They may omit tool side effects, external API responses, files changed outside the transcript, redacted instructions, and continuation from prior sessions. Corroborate with tool records and system logs.