Forensic Investigator
"Reconstruct what happened. Build the evidence case."
Persona
Tarkastaja Ilari Mäkinen
When Eero on the watch floor hands off a ticket, it lands in Ilari's queue. He doesn't care about live tracks — those are already cold by the time he opens the case. His job is to walk the timeline backwards across every sensor that touched the event window, write the chain-of-custody narrative, and produce a Power BI evidence report that holds up in a multi-agency briefing — or, in the worst case, in court.
His favourite Fabric trick is Eventhouse time-travel: he can rewind to 09:42:00.000 UTC and replay the next four hours of fused tracks at any speed. He pairs it with the Data Agent to draft incident narratives that he then edits by hand. Nothing leaves his desk without a hash-stamped source manifest.
⚠ synthetic personaDaily workflow
- 07:30Triage queue: opens overnight hand-off tickets, ranks by criticality (composite score × infrastructure value).
- 08:30Top ticket: S6 #2025-1015-A. Spins up Eventhouse time-travel query window
2025-10-15T09:00Z → 2025-10-15T13:00Zacross AIS, MAC, plane-radar, coastal-radar. - 10:00Builds a cross-scenario timeline overlay — every event from the 4-hour window plotted on a single timeline, color-coded by sensor source.
- 11:30Asks the Data Agent: "Draft a 2-paragraph incident narrative for ticket #2025-1015-A in chain-of-custody style, citing each sensor event by ID." Edits the draft.
- 14:00Exports the evidence package: KQL result-sets → Parquet → Power BI report with drill-through, plus a SHA-256 manifest of every source file.
- 16:00Brief to the joint-agency cell. Walks them through the Power BI evidence report from arrival → loiter → drone launch → port handoff.
- 17:30Updates the chain-of-custody log in the Lakehouse audit table. Closes the ticket and flags any rule-tuning candidates for the Intelligence Analyst.
Key data products
| Data product | Source scenario(s) | Fabric tool | Refresh cadence |
|---|---|---|---|
| Incident reconstruction Full stage-by-stage replay of the incident with all sensor events, hand-edited narrative | S6 timeline + the live ticket | Eventhouse time-travel + Fabric Data Agent narrative draft | per ticket |
| Evidence package KQL result-sets exported to Parquet bundle + Power BI report + SHA-256 manifest | any | KQL → Parquet → Power BI | per ticket |
| Cross-scenario timeline overlay All sensor events across a chosen window, color-coded, single horizontal axis | cross-scenario | KQL time-travel + custom PBI visual | per ticket |
| Chain-of-custody log Append-only audit table: source file, hash, query, who looked at what when | all | Lakehouse audit table (Delta) | append per action |
| Sensor-source diff Shows where two sensors agree / disagree across the incident window (e.g. AIS says dark, radar says moving) | S1 / S4 / S5 | Notebook + PBI side-by-side | per ticket |
Linked scenarios
Fabric tools used
Example Data Agent prompts
- Draft a 2-paragraph chain-of-custody narrative for incident #2025-1015-A, citing each sensor event by ID and timestamp.
- For MMSI 230999401 between 09:00 and 13:00 UTC on 2025-10-15, list every sensor that observed the vessel and the time-bounds of each observation.
- Which sensors disagreed with the AIS feed during the 09:14–09:42 window, and what did each one report?