Episode 21: How IRCO is Changing DFIR: The AI Copilot for Real-Time Cyber Investigations

Show Notes

Link to IRCO- Incident Response Copilot on Chat  GPT

https://chatgpt.com/g/g-68033ce1b26481919b26df0737241bac-irco-incident-response-co-pilot

In this episode of TLP: The Digital Forensics Podcast, Clint dives deep into IRCO (a custom GPT designed specifically for DFIR and SOC analysts). From real-world cyber incidents to post-incident reporting and CTF training, IRCO acts like your AI-powered colleague: fast, focused, and built for real investigations or even CTF's.

Learn how this tool understands your forensic workflows, decodes technical jargon, and supports smarter, faster investigations. Clint shares how to start using IRCO, common use cases, how to keep your data safe, and why many in the field are underestimating its capability.

Whether you're writing reports, analyzing logs, or stuck mid-incident, IRCO can give you the 1% edge you need to  solve tricky DFIR investigations and communicate reports more quickly.

🔍 Topics covered:
 – What is IRCO?
 – How to integrate AI into digital forensics workflows
 – Using  IRCO  for live incidents, CTFs, and training
 – Privacy and responsible AI use in SOC environments
 – Actionable prompts and use cases

🎧 Subscribe to TLP now and give IRCO a test run. You might just find your new secret weapon in responding to incidents quicker than ever. 

 https://chatgpt.com/g/g-68033ce1b26481919b26df0737241bac-irco-incident-response-co-pilot 

Transcript

1:21

Hey everyone, Clint here. Welcome back to TLP, the Digital Forensics Podcast. Today I wanna talk about a tool that has been floating around in our circles mentioned in slack, discord used quietly by some, ignored by others. Rated one star by others. It's called erco Short for Incident Response. Copilot. It's a custom GBTI made for chat GBT earlier this year. And if you don't know, custom GPTs are just personalized versions of chat GPT that are built using open AI's tools. You can think of them as a specialized assistant with a tailored personality, knowledge base and behavior, and they're custom built for a specific use case or audience. And I've built and provided instructions for Erco based on the requirements of DFIR and SOC analysts. After testing it and using it daily. In my role as a SOC analyst, I was quite impressed by how consistent the output is, and this isn't just a general purpose chat bot that fills in the gaps with guesses and hallucinations. Erco actually understands what we do. It doesn't pretend to be smarter than you. It just helps you work on investigations cleaner. Faster and with more confidence. So in today's episode, we're gonna unpack what Erco is, where it fits into a real world investigation, why most people are underusing it, and how to build it into your workflow without slowing down. Let's get into it. Here's the thing, ERCO, it's already known to a lot of defer people. We, we know it's gone a little viral on LinkedIn. It's been mentioned in CTFs. Some teams have got a bookmarked, some people know about it, but it's only got about a thousand conversations that anyone's had with it so far. And this is because there's a gap, and it's not a gap in knowledge. It's a confidence gap. People just don't know. What it's capable of. They're not sure when to bring it in. They don't have any examples of how it's helping anyone. Mid investigation. If you've ever had a major cyber incident, you know it's hard to stop and just try a new tool, and it's not because you don't want to. You just don't know if the benefit of trying a new tool is worthwhile and is gonna help you, or is it gonna waste your time and those hours that you've spent trying to get that tool working. Could have been used to actually investigate the incident. The result of this is that people know about erco, but they're just choosing not to use it yet. So what Erco does and what it is, it's a specialized DFA assistant that's trained on real investigations, real tools, and real threats, and its job is to help you during a live incident or A CTF. It can assist you with post-incident reports. It can walk you through CTF style learning scenarios. One of my favorite features is it can translate technical jargon into easy to understand reporting for executives and it understands your tasks, your methodologies, when you're using tools like Velociraptor, Cape, Cisson, Yara, and Sigma. And that just scratches the surface with some of the tools that Ed can. Talk to. It gets the difference between event IDs, 4 6 2 5, 4, 6, 8, 8. It knows where to look in the registry car files, what it means when RAD XE shows up in the middle of a timeline. You can think of Erco as a senior analyst or the approachable boss who's seen it all. Let's get practical by explaining how to use Erco. I've included a link for how to get into the tool in the show notes, or you can just go into chat, GPT and select GPTs from the sidebar menu. Then search for Erco. That's IRCO. Here's how you'd actually use Erco during your day or during a forensic incident. If it's a live incident. Let's say you're looking at suspicious RDP activity. If you can ask Erco, how do I contain a potential RDP brute force attack? Erco will respond with recommended logs to capture the relevant event, IDs to look at, and some triage tips as well. What about, you're doing a post-incident report, you need some help in processing that evidence. The evidence that you've got a prefetch. Amash and you've got some EVTX logs and you say, help me correlate these artifacts to confirm lateral movement. One of the concerns for a lot of people is that they don't wanna upload the confidential artifacts to chat chip et. And there's a warning message that you see when you first open erco that tells you not to include things that are confidential. In that instance, the way that you can get around having to upload the files individually, you can say, tell me what tools I need to analyze these artifacts and where to locate them. What about training or A CTF? Say you are reviewing a mem dump. You can ask, what's the process list showing in this volatility output? And the way you can do that is you can just send it a screenshot. And if there's no confidential information in that screenshot, and probably most of the time there wouldn't be because it's just file names or you can just block it out by using Ms. Paint or your favorite image editor. What Erco is gonna do is it will explain concepts and indicators like injected threads and hollowed out processes. What about reporting to stakeholders? You can say. Summarize this credential theft case for execs, and you would give it some context, some sanitized data from the report that you're writing. And what you'll get back is a clean and readable paragraph, and it's still technical, but it minimizes the jargon that's been used. So Erco is not just a helpful assistant, it is structured. It provides relevant and grounded information. And it's been instructed the way I've built it to get to the point without giving you this High five cheer squad that chat GPT has been known to do in the past. What makes Erco actually work for analysts? It's actually about understanding how we think, and the tool clarifies your intent before giving you answers. It'll ask you questions. It will adjust the depth based on your skill level, and it always ends with here's what to do next. It doesn't just throw you a wall of theory, it gives you the right next step, and that's why it works. What I like using the tool for most is to explain the reasons why we are doing things. When I was a kid, I remember I wanted to get cheat codes for games. We all wanted to have. Unlimited lives or unlimited ammo for weapons. When I first released the tool, a few people, rightly so, raised concerns about AI, giving people the answers without teaching the concepts behind it. And I built Erco to give the reasons why the output is the way that it is, and this turns each incident into a teachable moment that builds your experience over time. If you wanna build Erco into your workflow, start small and start when you are not in the middle of a massive incident, start using it. Start to get familiar with the tool. Here's three things that you can do today to get started with Erco. The first one is ask it to explain a single artifact. Something like, explain what shim cache is in one sentence. So we're kind of using it like Google here. To get very targeted information. You could get it to validate a detection rule. You could try saying, check this Sigma rule and tell me what I've missed. Or you could also use it in a timelining exercise and you could say Correlate event ID 11 PREFETCH and MFT entries. Each of these activities, each of these prompts, they give you a small win. And from these small wins, you can start to understand how useful the tool can be. Figure out your own workflows. Figure out the best way to use it when you are working with real live incidents. If you're using tools like SIS one for Losser Raptor and looking at logs with the Windows event viewer, ERCO can help with context. You can try some prompts, like, show me how to collect DNS cash with Losser Raptor. Write a Sigma rule for detecting R XE used on desktop folders. Or how would an attacker move laterally using PS exec and what should I see in the logs? You'll be surprised at how accurate and focused the answers are and the explanations that are provided alongside. And if something's off, well now you have a teachable moment. So that might require some additional research. Like everything, nothing's perfect, but Erco can become part of your loop, part of your incident response workflow. And I talk about the teachable moment where if something seems off. We as analysts, we should be going and doing a bit more research, a bit more of a deep dive to clarify that, and that's what using the tool in a non-live incident scenario can help with to understand the limitations of the tool, to understand what it can do for you and understand when you might need to do a bit more research. So sometimes it does miss the point. I wish it was perfect and I wish that it had all the correct answers. But the fact of cyber is that things move quickly. Tools have deprecated commands, and Ms. Defender is actually one of the worst in this department. Meta values that exist today can be removed overnight. So with that in mind, just let me know if you experience some issues where Erco is giving you a bit of a run around. And I'll do what I can to update the tuning and then I'll also update the knowledge base to improve it for next time. One of the last things that I wanna mention, you don't need to memorize what Erco can do. At first, I was stuck in the old way of learning. I thought I should read all the docs. I've gotta learn every single function. But that's not how you build habits, and that's just cramming for an exam. Instead, a better way to do it is to think of situational triggers. When you've got friction during an investigation, ask Erco. You need to explain something. Ask Erco, not sure what artifact matters. Ask Erco. If you're writing a report and stuck on wording, ask Erco. So use your real work as the context. The more that you use that real work, the more useful it becomes. Use your real work as the context. The more that you use it daily, the more useful it becomes. It's not here to be smarter than you. It's not here to replace your expertise, your experience on the job. It's a second brain. This is artificial intelligence. We're not trying to pretend that it's smarter than it is. It's a second brain when you're deep in the weeds. It's a colleague who doesn't get tired. And it provides structure. And when your brain's fried after working on an incident for a week, this can be quite a useful solution. Use it to investigate smarter and report faster and avoid missing steps that could cause gaps in the investigation and in particular gaps in the report. So next time you are mid incident, building a timeline or cleaning up a messy investigation. Why don't you give Erco a go try with one question. Try getting it to review one artifact. That's how you can build the habit, getting 1% better every day. Alright, that's it for me today. If you are using erco already, I'd love to hear how you're using it. It helps me figure out new prompts and helps me figure out how I can tune it to be better and help the user experience get better for everyone. I hope this has been informative. If you haven't already, please subscribe to the podcast wherever you are listening today, whether it's on YouTube, Spotify, or Apple Podcasts, or one of the other podcast platforms. Thanks for listening and I'll see you in the next episode.