Daedalus — Adaptive Artifact Handler

What problem does it solve?

Daedalus prevents wasted DFIR triage effort by ensuring analysis scripts run only when the corresponding evidence artifact is actually present, while also closing gaps when new or variant artifacts appear in a case.

Core Features & Use Cases

• Deterministic evidence routing: Ensures phases execute based on artifact presence, avoiding irrelevant web, email, or domain work when evidence does not support it.
• Domain extension for variants: When an artifact belongs to an existing script’s domain but isn’t covered by that script’s handler list, Daedalus extends the owning script with a new section and updates the handler registry.
• Gap creation for new artifact types: When an artifact has no handler and no owning domain script, Daedalus generates a new SIFTics-compatible phase script, validates it, and registers it in the triage run plan.
• ISC handoff via run plan: Produces a validated run plan for the Investigation Section Chief, which then sequences the indicated phase scripts without Daedalus executing analysis itself.

Quick Start

Ask the Investigation Section Chief to invoke Daedalus at the start of the case (after Phase 0 evidence fingerprinting) by providing the case root path and mounted evidence path, so it can return the validated run plan to execute.