What is the most critical type of evidence to preserve first when an AI system is suspected of producing harmful outputs?

How does establishing a behavioral baseline for an AI system support forensic investigation?

What forensic indicator would suggest that a model has been swapped or tampered with in production?

When analyzing request logs for signs of a prompt injection campaign, what pattern most reliably indicates automated attack activity?

What does a sudden decrease in a model's refusal rate indicate from a forensic perspective?

How should forensic evidence from an AI incident be preserved to maintain its integrity and admissibility?

What is the forensic value of comparing a suspected compromised model's behavior against a known-good reference model?

When investigating a suspected training data poisoning incident, what evidence is most diagnostic?

What role does timeline reconstruction play in AI incident forensics?

How should an investigator handle a situation where critical AI system logs have been deleted or rotated before collection?

What is the purpose of running a 'canary analysis' during an active AI incident?

What distinguishes an AI-specific incident response plan from a general cybersecurity incident response plan?

When conducting post-incident analysis of an AI security event, what is the most valuable output for preventing recurrence?

How should the scope and limitations of an AI forensic investigation be communicated to stakeholders?

What is the forensic significance of monitoring embedding drift in a RAG-based AI system?