DeepSIFT

DeepSIFT

DeepSIFT is an MCP server that wraps SANS SIFT Workstation forensic tools with structured JSON output and RAG threat intelligence, reducing LLM hallucinations in autonomous incident response.

Category
Visit Server

README

DeepSIFT

AI-Driven Forensic Analysis with Zero Hallucinations

DeepSIFT is a Python MCP (Model Context Protocol) middleware server that wraps SANS SIFT Workstation forensic tools, dramatically reducing LLM hallucinations in autonomous AI-driven incident response.

Built for the Find Evil! Hackathon hosted by SANS DFIR.

The Problem

Protocol SIFT connects Claude Code to SIFT Workstation but hallucinates more than acceptable:

Protocol SIFT Problem DeepSIFT Solution
Raw Volatility output (10k+ lines) dumped into context Python parsers convert output to structured JSON first
Generic execute_shell_cmd — agent guesses plugin names Typed MCP functions — one function per tool action
Prompt-only safety ("never modify evidence") Architectural enforcement — zero write ops on evidence paths
No threat intelligence context RAG pipeline injects MITRE ATT&CK + IOCs into every finding

Architecture

Claude Code (autonomous execution engine)
        ↓ calls typed MCP functions
DeepSIFT MCP Server  ←── RAG Pipeline (ChromaDB + MITRE ATT&CK)
        ↓ executes and parses raw output
SIFT Tools (volatility, log2timeline, sleuthkit, yara, ez tools)
        ↑ structured JSON returned — raw text never reaches LLM

Available MCP Tools

Memory Forensics (Volatility 3)

Tool Description
get_process_list Process list with Hunt Evil baseline comparison
find_injected_code Malfind with injection type classification
get_network_connections Netscan with external IP flagging
get_command_history Cmdline with suspicious pattern detection
get_loaded_dlls DLL list with path-based suspicion scoring
get_registry_hives Registry hive list from memory
get_registry_key Read specific registry key values
get_handles Open handles (files, mutexes, pipes)
finish_analysis Save final structured findings

Timeline (log2timeline / Plaso)

Tool Description
create_super_timeline Create Plaso storage from disk image
filter_timeline Extract events for a time window
get_browser_history WEBHIST events only

Disk Forensics (Sleuth Kit)

Tool Description
get_partition_table Partition layout via mmls
get_file_listing File system tree via fls
extract_file Extract file by inode via icat
search_deleted_files Deleted/unallocated files

YARA Hunting

Tool Description
scan_file_with_yara Scan file with rule set
scan_memory_with_yara Scan memory image via yarascan
list_yara_rule_sets Show available rules

Windows Artifacts (EZ Tools)

Tool Description
parse_prefetch Program execution history
parse_lnk_files Recent file access
parse_jump_lists Application recent items
parse_registry_hive Offline hive parsing
lookup_ip_reputation AbuseIPDB + VirusTotal

Prerequisites

  • SANS SIFT Workstation (Ubuntu x86-64)
  • Python 3.10+
  • Volatility 3 (python3 -m volatility3)
  • log2timeline / Plaso (log2timeline.py, psort.py)
  • The Sleuth Kit (fls, mmls, icat)
  • YARA
  • EZ Tools at /opt/zimmermantools/ (optional — Windows artifact tools)

Installation

# Clone the repo
git clone https://github.com/ahammadshawki8/DeepSIFT.git
cd DeepSIFT

# Install Python dependencies
pip3 install -r requirements.txt

# Configure environment
cp .env.example .env
nano .env  # Add your API keys and verify tool paths

# Initialize RAG knowledge base (downloads ~100MB MITRE ATT&CK JSON)
python3 rag/ingest/mitre_attack.py

# Run tests to verify parsers work
pytest tests/ -v

Quick Start — Investigate a Memory Image

Option A: Use with Claude Code (Recommended)

  1. Add to your Claude Code MCP configuration:
{
  "mcpServers": {
    "deepsift": {
      "command": "python3",
      "args": ["/path/to/DeepSIFT/mcp_server/server.py"]
    }
  }
}
  1. Start an investigation:
Investigate /cases/ROCBA/Rocba-Memory.raw for signs of unauthorized access
on or after November 13, 2020.

Claude will automatically call get_process_listfind_injected_codeget_network_connectionsfinish_analysis and produce a structured report.

Option B: Multi-Agent Orchestrator (LangGraph)

python3 agents/orchestrator.py --image /cases/ROCBA/Rocba-Memory.raw --case-dir /cases/ROCBA

Run Benchmark

Compare DeepSIFT against Protocol SIFT baseline:

python3 benchmark/runner.py \
  --baseline /cases/ROCBA-BASELINE \
  --ours /cases/ROCBA-DEEPSIFT \
  --ground-truth benchmark/ground_truth/rocba_ground_truth.json \
  --output docs/accuracy_report.md

Configuration

Copy .env.example to .env:

ANTHROPIC_API_KEY=your_key_here
VIRUSTOTAL_API_KEY=your_key_here      # optional — enables IP reputation
ABUSEIPDB_API_KEY=your_key_here       # optional — enables IP reputation

# Override tool paths if different from SIFT defaults
VOLATILITY_CMD=python3 -m volatility3
LOG2TIMELINE_CMD=log2timeline.py
EZ_TOOLS_DIR=/opt/zimmermantools

# Case directories
CASE_DIR=/cases
EXPORTS_DIR=./exports
ANALYSIS_DIR=./analysis

Chain of Custody

Every tool execution is logged to analysis/forensic_audit.log:

{
  "timestamp": "2026-06-10T12:34:56.789Z",
  "tool": "get_process_list",
  "command": "python3 -m volatility3 -f /cases/ROCBA/Rocba-Memory.raw windows.pslist",
  "raw_output_sha256": "abc123...",
  "raw_output_file": "./exports/get_process_list_2026-06-10T12-34-56.txt"
}

Raw outputs are preserved in exports/ for audit trail purposes.

License

MIT License — see LICENSE

Acknowledgments

Recommended Servers

playwright-mcp

playwright-mcp

A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.

Official
Featured
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.

Official
Featured
Local
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.

Official
Featured
Local
TypeScript
VeyraX MCP

VeyraX MCP

Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.

Official
Featured
Local
graphlit-mcp-server

graphlit-mcp-server

The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.

Official
Featured
TypeScript
Kagi MCP Server

Kagi MCP Server

An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.

Official
Featured
Python
E2B

E2B

Using MCP to run code via e2b.

Official
Featured
Neon Database

Neon Database

MCP server for interacting with Neon Management API and databases

Official
Featured
Exa Search

Exa Search

A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.

Official
Featured
Qdrant Server

Qdrant Server

This repository is an example of how to create a MCP server for Qdrant, a vector search engine.

Official
Featured