BSides Tokyo 2026 Speaker

Yusuke Nakajima

Joined the NTT DATA Group in 2019, initially working in sales, providing solutions such as image processing and natural language processing. In April 2023, transferred to the company’s CSIRT unit, NTTDATA-CERT, where engaged in incident response, threat hunting, IoC collection and distribution, as well as enhancing CSIRT operations through LLM-based automation. Also has a strong interest in offensive security, including C2 framework development, OSS vulnerability research, and participation in bug bounty programs. Presented at conferences such as BSides Tokyo 2025, Black Hat USA 2025 Arsenal, HITCON 2025 and JSAC 2025. CISSP, OSDA, OSTH.

The Dark Side of Autonomy: Exploiting DFIR Agents Through Adversarial Manipulation

In recent years, DFIR tools have increasingly integrated Large Language Models (LLMs) to automate analysis and reporting. This study shows that attackers can target DFIR agents by exploiting prompt injection through boundary perturbation of structured data—injecting closing and opening delimiters to trick parsers into interpreting data as new instructions—a format long assumed to be resistant to such prompt-injection-based manipulation. Crucially, this is not a tool-specific issue but a broader risk inherent to integrating DFIR tools with autonomous LLM agents. Although I contacted Google because their tools were also affected, they responded that the issue does not meet the criteria for a security bug.

By embedding malicious instructions into routine forensic artifacts such as logs and scheduled tasks, adversaries can cause agents to misinterpret data as commands, resulting in three outcomes: Hide, Mislead, and Exploit.

This is, to my knowledge, the first demonstration of structured-data injection attacks in LLM-integrated DFIR environments. The study also proposes practical defense-in-depth measures, including least-privilege design, strict structured-output validation, and human-in-the-loop oversight to ensure safe automated workflows.

This presentation offers organizations a foundation for rethinking how much autonomy to grant LLM-driven DFIR agents and where human supervision must remain essential.