Link to IRCO- Incident Response Copilot on Chat GPT
https://chatgpt.com/g/g-68033ce1b26481919b26df0737241bac-irco-incident-response-co-pilot
In this episode of TLP: The Digital Forensics Podcast, Clint dives deep into IRCO (a custom GPT designed specifically for DFIR and SOC analysts). From real-world cyber incidents to post-incident reporting and CTF training, IRCO acts like your AI-powered colleague: fast, focused, and built for real investigations or even CTF's.
Learn how this tool understands your forensic workflows, decodes technical jargon, and supports smarter, faster investigations. Clint shares how to start using IRCO, common use cases, how to keep your data safe, and why many in the field are underestimating its capability.
Whether you're writing reports, analyzing logs, or stuck mid-incident, IRCO can give you the 1% edge you need to solve tricky DFIR investigations and communicate reports more quickly.
🔍 Topics covered:
– What is IRCO?
– How to integrate AI into digital forensics workflows
– Using IRCO for live incidents, CTFs, and training
– Privacy and responsible AI use in SOC environments
– Actionable prompts and use cases
🎧 Subscribe to TLP now and give IRCO a test run. You might just find your new secret weapon in responding to incidents quicker than ever.
https://chatgpt.com/g/g-68033ce1b26481919b26df0737241bac-irco-incident-response-co-pilot
Episode Transcript
Hey everyone, Clint here.
Welcome back to TLP, the DigitalForensics Podcast.
Today I wanna talk about a toolthat has been floating around in
our circles mentioned in slack,discord used quietly by some,
ignored by others.
Rated one star by others.
It's called erco Short forIncident Response.
(00:21):
Copilot.
It's a custom GBTI made for chatGBT earlier this year.
And if you don't know, customGPTs are just personalized
versions of chat GPT that arebuilt using open AI's tools.
You can think of them as aspecialized assistant with a
tailored personality, knowledgebase and behavior, and they're
(00:44):
custom built for a specific usecase or audience.
And I've built and providedinstructions for Erco based on
the requirements of DFIR and SOCanalysts.
After testing it and using itdaily.
In my role as a SOC analyst, Iwas quite impressed by how
(01:06):
consistent the output is, andthis isn't just a general
purpose chat bot that fills inthe gaps with guesses and
hallucinations.
Erco actually understands whatwe do.
It doesn't pretend to be smarterthan you.
It just helps you work oninvestigations cleaner.
Faster and with more confidence.
(01:29):
So in today's episode, we'regonna unpack what Erco is, where
it fits into a real worldinvestigation, why most people
are underusing it, and how tobuild it into your workflow
without slowing down.
Let's get into it.
(01:49):
Here's the thing, ERCO, it'salready known to a lot of defer
people.
We, we know it's gone a littleviral on LinkedIn.
It's been mentioned in CTFs.
Some teams have got abookmarked, some people know
about it, but it's only gotabout a thousand conversations
that anyone's had with it sofar.
And this is because there's agap, and it's not a gap in
(02:13):
knowledge.
It's a confidence gap.
People just don't know.
What it's capable of.
They're not sure when to bringit in.
They don't have any examples ofhow it's helping anyone.
Mid investigation.
If you've ever had a major cyberincident, you know it's hard to
stop and just try a new tool,and it's not because you don't
(02:33):
want to.
You just don't know if thebenefit of trying a new tool is
worthwhile and is gonna helpyou, or is it gonna waste your
time and those hours that you'vespent trying to get that tool
working.
Could have been used to actuallyinvestigate the incident.
The result of this is thatpeople know about erco, but
(02:55):
they're just choosing not to useit yet.
So what Erco does and what itis, it's a specialized DFA
assistant that's trained on realinvestigations, real tools, and
real threats, and its job is tohelp you during a live incident
or A CTF.
It can assist you withpost-incident reports.
(03:16):
It can walk you through CTFstyle learning scenarios.
One of my favorite features isit can translate technical
jargon into easy to understandreporting for executives and it
understands your tasks, yourmethodologies, when you're using
tools like Velociraptor, Cape,Cisson, Yara, and Sigma.
(03:41):
And that just scratches thesurface with some of the tools
that Ed can.
Talk to.
It gets the difference betweenevent IDs, 4 6 2 5, 4, 6, 8, 8.
It knows where to look in theregistry car files, what it
means when RAD XE shows up inthe middle of a timeline.
(04:01):
You can think of Erco as asenior analyst or the
approachable boss who's seen itall.
Let's get practical byexplaining how to use Erco.
I've included a link for how toget into the tool in the show
notes, or you can just go intochat, GPT and select GPTs from
(04:24):
the sidebar menu.
Then search for Erco.
That's IRCO.
Here's how you'd actually useErco during your day or during a
forensic incident.
If it's a live incident.
Let's say you're looking atsuspicious RDP activity.
If you can ask Erco, how do Icontain a potential RDP brute
(04:47):
force attack?
Erco will respond withrecommended logs to capture the
relevant event, IDs to look at,and some triage tips as well.
What about, you're doing apost-incident report, you need
some help in processing thatevidence.
(05:09):
The evidence that you've got aprefetch.
Amash and you've got some EVTXlogs and you say, help me
correlate these artifacts toconfirm lateral movement.
One of the concerns for a lot ofpeople is that they don't wanna
upload the confidentialartifacts to chat chip et.
(05:30):
And there's a warning messagethat you see when you first open
erco that tells you not toinclude things that are
confidential.
In that instance, the way thatyou can get around having to
upload the files individually,you can say, tell me what tools
I need to analyze theseartifacts and where to locate
them.
(05:52):
What about training or A CTF?
Say you are reviewing a memdump.
You can ask, what's the processlist showing in this volatility
output?
And the way you can do that isyou can just send it a
screenshot.
And if there's no confidentialinformation in that screenshot,
and probably most of the timethere wouldn't be because it's
(06:14):
just file names or you can justblock it out by using Ms.
Paint or your favorite imageeditor.
What Erco is gonna do is it willexplain concepts and indicators
like injected threads andhollowed out processes.
What about reporting tostakeholders?
(06:35):
You can say.
Summarize this credential theftcase for execs, and you would
give it some context, somesanitized data from the report
that you're writing.
And what you'll get back is aclean and readable paragraph,
and it's still technical, but itminimizes the jargon that's been
used.
So Erco is not just a helpfulassistant, it is structured.
(07:01):
It provides relevant andgrounded information.
And it's been instructed the wayI've built it to get to the
point without giving you thisHigh five cheer squad that chat
GPT has been known to do in thepast.
What makes Erco actually workfor analysts?
(07:21):
It's actually aboutunderstanding how we think, and
the tool clarifies your intentbefore giving you answers.
It'll ask you questions.
It will adjust the depth basedon your skill level, and it
always ends with here's what todo next.
(07:43):
It doesn't just throw you a wallof theory, it gives you the
right next step, and that's whyit works.
What I like using the tool formost is to explain the reasons
why we are doing things.
When I was a kid, I remember Iwanted to get cheat codes for
games.
We all wanted to have.
(08:03):
Unlimited lives or unlimitedammo for weapons.
When I first released the tool,a few people, rightly so, raised
concerns about AI, giving peoplethe answers without teaching the
concepts behind it.
And I built Erco to give thereasons why the output is the
way that it is, and this turnseach incident into a teachable
(08:28):
moment that builds yourexperience over time.
If you wanna build Erco intoyour workflow, start small and
start when you are not in themiddle of a massive incident,
start using it.
Start to get familiar with thetool.
Here's three things that you cando today to get started with
(08:48):
Erco.
The first one is ask it toexplain a single artifact.
Something like, explain whatshim cache is in one sentence.
So we're kind of using it likeGoogle here.
To get very targetedinformation.
You could get it to validate adetection rule.
(09:08):
You could try saying, check thisSigma rule and tell me what I've
missed.
Or you could also use it in atimelining exercise and you
could say Correlate event ID 11PREFETCH and MFT entries.
Each of these activities, eachof these prompts, they give you
(09:29):
a small win.
And from these small wins, youcan start to understand how
useful the tool can be.
Figure out your own workflows.
Figure out the best way to useit when you are working with
real live incidents.
If you're using tools like SISone for Losser Raptor and
(09:52):
looking at logs with the Windowsevent viewer, ERCO can help with
context.
You can try some prompts, like,show me how to collect DNS cash
with Losser Raptor.
Write a Sigma rule for detectingR XE used on desktop folders.
Or how would an attacker movelaterally using PS exec and what
(10:15):
should I see in the logs?
You'll be surprised at howaccurate and focused the answers
are and the explanations thatare provided alongside.
And if something's off, well nowyou have a teachable moment.
So that might require someadditional research.
(10:37):
Like everything, nothing'sperfect, but Erco can become
part of your loop, part of yourincident response workflow.
And I talk about the teachablemoment where if something seems
off.
We as analysts, we should begoing and doing a bit more
research, a bit more of a deepdive to clarify that, and that's
what using the tool in anon-live incident scenario can
(11:02):
help with to understand thelimitations of the tool, to
understand what it can do foryou and understand when you
might need to do a bit moreresearch.
So sometimes it does miss thepoint.
I wish it was perfect and I wishthat it had all the correct
answers.
But the fact of cyber is thatthings move quickly.
(11:24):
Tools have deprecated commands,and Ms.
Defender is actually one of theworst in this department.
Meta values that exist today canbe removed overnight.
So with that in mind, just letme know if you experience some
issues where Erco is giving youa bit of a run around.
And I'll do what I can to updatethe tuning and then I'll also
(11:44):
update the knowledge base toimprove it for next time.
One of the last things that Iwanna mention, you don't need to
memorize what Erco can do.
At first, I was stuck in the oldway of learning.
I thought I should read all thedocs.
I've gotta learn every singlefunction.
(12:05):
But that's not how you buildhabits, and that's just cramming
for an exam.
Instead, a better way to do itis to think of situational
triggers.
When you've got friction duringan investigation, ask Erco.
You need to explain something.
Ask Erco, not sure what artifactmatters.
Ask Erco.
(12:26):
If you're writing a report andstuck on wording, ask Erco.
So use your real work as thecontext.
The more that you use that realwork, the more useful it
becomes.
Use your real work as thecontext.
The more that you use it daily,the more useful it becomes.
(12:47):
It's not here to be smarter thanyou.
It's not here to replace yourexpertise, your experience on
the job.
It's a second brain.
This is artificial intelligence.
We're not trying to pretend thatit's smarter than it is.
It's a second brain when you'redeep in the weeds.
It's a colleague who doesn't gettired.
(13:09):
And it provides structure.
And when your brain's friedafter working on an incident for
a week, this can be quite auseful solution.
Use it to investigate smarterand report faster and avoid
missing steps that could causegaps in the investigation and in
particular gaps in the report.
(13:32):
So next time you are midincident, building a timeline or
cleaning up a messyinvestigation.
Why don't you give Erco a go trywith one question.
Try getting it to review oneartifact.
That's how you can build thehabit, getting 1% better every
day.
(13:53):
Alright, that's it for me today.
If you are using erco already,I'd love to hear how you're
using it.
It helps me figure out newprompts and helps me figure out
how I can tune it to be betterand help the user experience get
better for everyone.
I hope this has beeninformative.
If you haven't already, pleasesubscribe to the podcast
wherever you are listeningtoday, whether it's on YouTube,
(14:17):
Spotify, or Apple Podcasts, orone of the other podcast
platforms.
Thanks for listening and I'llsee you in the next episode.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
Ridiculous History
History is beautiful, brutal and, often, ridiculous. Join Ben Bowlin and Noel Brown as they dive into some of the weirdest stories from across the span of human civilization in Ridiculous History, a podcast by iHeartRadio.