Back to BEC Investigation
Investigation Report
CLI
dfir-cli bec reportGenerate comprehensive BEC investigation reports from collected evidence. Supports multiple output formats including full technical reports, executive summaries, FBI IC3 complaints, and insurance proof-of-loss documents. All processing is performed locally — no API calls or credits required.
Processing
Local (no API)
Credits
None (free)
Formats
4 output formats
Input
Evidence directory or file list
CLI Usage
Full report (JSON + HTML)
dfir-cli bec report --case-id BEC-2026-001 --input-dir ./evidence/
Executive summary
dfir-cli bec report --case-id BEC-2026-001 \ --format executive --input-dir ./evidence/ \ --investigator-name "Jane Smith" \ --investigator-org "Contoso DFIR Team"
FBI IC3 format
dfir-cli bec report --case-id BEC-2026-001 \ --format ic3 --input-dir ./evidence/ \ --financial-data ./financial-loss.json
Insurance proof-of-loss
dfir-cli bec report --case-id BEC-2026-001 \ --format insurance --input-dir ./evidence/ \ --include-evidence --financial-data ./financial-loss.json
Import specific evidence files
dfir-cli bec report --case-id BEC-2026-001 \ --import ./inbox-rules.json,./signin-audit.json,./oauth-audit.json \ --format full --output-dir ./reports/
Flags
| Flag | Type | Description |
|---|---|---|
| --case-id | string | Unique case identifier for the investigation (required) |
| --format | string | Report format: "full" (JSON+HTML), "executive" (HTML), "ic3" (FBI IC3 JSON), "insurance" (proof-of-loss JSON). Default: full |
| --input-dir | string | Directory containing evidence files from prior BEC commands |
| --import | string | Comma-separated list of specific evidence files to import |
| --output-dir | string | Output directory for generated reports (default: current directory) |
| --investigator-name | string | Name of the investigator for report attribution |
| --investigator-org | string | Organization name for report attribution |
| --include-evidence | bool | Embed raw evidence data in the report output |
| --financial-data | string | Path to financial loss data file (JSON) for IC3 and insurance formats |
Output Formats
| Format | Output | Description |
|---|---|---|
| full | JSON + HTML | Complete investigation report with all evidence, timeline, and findings. Produces both a structured JSON file and a formatted HTML document. |
| executive | HTML | High-level executive summary suitable for management and non-technical stakeholders. Focuses on impact, risk, and recommended actions. |
| ic3 | JSON | FBI Internet Crime Complaint Center (IC3) formatted report for law enforcement submission. Includes required fields for BEC complaint filing. |
| insurance | JSON | Insurance proof-of-loss formatted report for cyber insurance claims. Includes financial impact, timeline of events, and evidence chain. |
Example Output
{
"case_id": "BEC-2026-E2E",
"generated_at": "2026-04-10T14:42:53Z",
"investigator_name": "Test Investigator",
"investigator_org": "DFIR Lab QA",
"tool_version": "dfir-cli/0.2.0 (darwin/arm64)",
"timeline_events": 227,
"compromised_accounts": 168,
"inbox_rules": 0,
"forwarding_rules": 0,
"oauth_grants": 7,
"signin_anomalies": 0,
"lookalike_domains": 10,
"iocs": {
"ips": ["2603:1026:2400::9", "2603:1026:2407::2b", "..."],
"domains": ["devopsdfirlab.onrnicrosoft.com", "..."],
"emails": [],
"oauth_app_ids": ["07fce198-...", "..."]
},
"mitre_mappings": 2,
"evidence": 6
}
// Generated files:
// BEC-2026-E2E_full.json (93 KB)
// BEC-2026-E2E_full.html (83 KB)
// BEC-2026-E2E_executive.html (13 KB)
// BEC-2026-E2E_ic3.json (13 KB)
// BEC-2026-E2E_insurance.json (95 KB)Important Notes
- All report generation is performed locally — no data is sent to the DFIR platform and no API credits are consumed.
- The
--input-dirshould contain output files from prior BEC commands (inbox-rules, signin-audit, forwarding-audit, oauth-audit, timeline). - The IC3 format follows FBI Internet Crime Complaint Center filing requirements. Review the generated report before submission to ensure accuracy.
- Use
--include-evidencewith caution — it embeds raw evidence in the report, which may significantly increase file size.