[REVIEW] forensics-checklist: add KMS log decryption key preservation gates
Skill Being Reviewed
Skill name: forensics-checklist
Skill path: skills/incident-response/forensics-checklist/
False Positive Analysis
Encrypted logs are acceptable forensic evidence when decrypt keys, key policy, access logs, and chain-of-custody are preserved.
Coverage Gaps
The checklist should verify KMS key preservation for encrypted log evidence. Exporting log files is not enough if keys rotate, are disabled, deleted, or inaccessible to investigators.
Edge Cases
- Cloud KMS scheduled deletion starts during incident.
- Key policy excludes IR role.
- Cross-account logs require external key grants.
Remediation Quality
- Add fields: key ID/version, retention, deletion status, decrypt permission, access log, and evidence custodian.
- Require test decrypt of sample evidence.
- Flag logs whose keys cannot be preserved.
Comparison to Other Tools
Cloud logging exports data; KMS/audit logs prove future decryptability and custody.
Overall Assessment
Add KMS preservation gates so encrypted evidence remains usable.
Bounty Info
[REVIEW] forensics-checklist: add KMS log decryption key preservation gates
Skill Being Reviewed
Skill name:
forensics-checklistSkill path:
skills/incident-response/forensics-checklist/False Positive Analysis
Encrypted logs are acceptable forensic evidence when decrypt keys, key policy, access logs, and chain-of-custody are preserved.
Coverage Gaps
The checklist should verify KMS key preservation for encrypted log evidence. Exporting log files is not enough if keys rotate, are disabled, deleted, or inaccessible to investigators.
Edge Cases
Remediation Quality
Comparison to Other Tools
Cloud logging exports data; KMS/audit logs prove future decryptability and custody.
Overall Assessment
Add KMS preservation gates so encrypted evidence remains usable.
Bounty Info
CONTRIBUTING.mdbounty terms.samik4184@gmail.com