forensics-mcp

forensics-mcp

A local MCP server that wraps common forensic command-line tools for CTF/forensics competitions into MCP tools, enabling automated analysis of disk images, memory dumps, network captures, SQLite databases, archives, and steganography.

Category
Visit Server

README

forensics-mcp

forensics-mcp 是一个面向 CTF / 电子取证比赛的本地 MCP Server。它把 Windows 上常用的取证命令行工具封装成可被 Codex 调用的 MCP 工具,适合处理磁盘镜像、内存镜像、流量包、SQLite 数据库、压缩包、图片隐写和混合证据材料。

项目定位是“取证胶水层”:不替代 Autopsy、Magnet AXIOM、IDA、JADX 这类大型工具,而是把比赛里最高频、最适合自动化的步骤统一接起来。

功能

  • 文件基础画像:大小、时间戳、MIME 猜测、Magic 签名、样本熵、头部十六进制。
  • 哈希计算:默认 md5sha1sha256,也支持其他 hashlib 算法。
  • 字符串搜索:ASCII / UTF-16LE,可按关键字或正则过滤。
  • SQLite 只读分析:表结构概览、行数统计、只读查询、CSV 导出。
  • 压缩包:使用 7-Zip 列目录和显式解压。
  • 文件雕刻和隐写辅助:exiftoolbinwalkforemostpngcheck
  • 流量分析:capinfos 摘要、tshark 协议层级和字段提取。
  • 内存取证:封装 Volatility 3 插件执行。
  • 磁盘镜像:img_statmmlsfsstatflsistaticat 导出。

已封装的 MCP 工具

  • tool_inventory
  • forensic_triage
  • file_profile
  • hash_file
  • strings_search
  • sqlite_overview
  • sqlite_query
  • sqlite_export_query
  • archive_list
  • archive_extract
  • exiftool_json
  • binwalk_scan
  • foremost_carve
  • pngcheck
  • pcap_info
  • tshark_fields
  • volatility_run
  • disk_image_probe
  • tsk_mmls
  • tsk_fsstat
  • tsk_fls
  • tsk_istat
  • tsk_icat_export
  • run_known_tool

安装

推荐使用 uv

uv run --with "mcp[cli]>=1.12.3" python server.py

如果作为 Python 包安装:

pip install .
forensics-mcp

Codex 配置示例

如果你把项目放在 G:\meiyuelou\mcp\forensics-mcp

[mcp_servers.forensics]
command = "uv"
args = [
    "run",
    "--with",
    "mcp[cli]>=1.12.3",
    "python",
    'G:\meiyuelou\mcp\forensics-mcp\server.py',
]

[mcp_servers.forensics.env]
PYTHONIOENCODING = "utf-8"
PYTHONUTF8 = "1"
UV_CACHE_DIR = 'C:\Users\Meiyouqian\uv-cache'

更多示例见 examples/

底层工具自动发现

服务会优先从 PATH 查找工具,然后尝试一些常见 Windows 取证工具目录,例如:

  • G:\tools\ctf工具箱\流量分析\WiresharkPortable\App\Wireshark\tshark.exe
  • G:\tools\ctf工具箱\图片隐写\exiftools\exiftool.exe
  • G:\tools\ctf-all-in-one-new\ctftools-all-in-one\libdll\misc\binwalk\binwalk.exe
  • G:\tools\foremost-master\foremost-master\binary\foremost.exe
  • G:\tools\PanelForensics.Windows\PanelForensics\lib\sqlite3.exe
  • G:\meiyuelou\mcp\sleuthkit-4.4.0-win32\sleuthkit-4.4.0-win32\bin

也可以用环境变量覆盖单个工具路径:

$env:FORENSICS_MCP_TSHARK_PATH = "D:\Tools\Wireshark\tshark.exe"
$env:FORENSICS_MCP_VOLATILITY3_PATH = "C:\Python310\Scripts\vol.exe"

环境变量格式为:

FORENSICS_MCP_<TOOL>_PATH

安全边界

  • 工具执行不使用 shell,所有命令以参数列表方式调用。
  • SQLite 查询默认只允许只读语句。
  • 证据读取优先,只有显式导出、解压、雕刻类工具会写入输出目录。
  • 本项目用于合法授权的 CTF、教学、应急响应和电子取证场景。

适合的比赛材料

  • .E01 / .raw / .img 磁盘镜像
  • .dmp / .lime 内存镜像
  • .pcap / .pcapng 流量包
  • .sqlite / .db / .db-wal 数据库
  • Android 应用数据目录和 APK 旁证
  • ZIP / 7Z / RAR 等压缩包
  • PNG / JPG / PDF / 固件等混合载体

开发

python -m py_compile forensics_mcp\server.py forensics_mcp\triage.py
python -m pytest

Fast triage can also be run without MCP:

python -m forensics_mcp.triage "<evidence file or folder>" --max-files 500 --max-depth 6 --output-dir triage

项目目前偏 Windows 取证环境,Linux/macOS 也可以运行,但需要自行保证底层 CLI 工具在 PATH 中。

Recommended Servers

playwright-mcp

playwright-mcp

A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.

Official
Featured
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.

Official
Featured
Local
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.

Official
Featured
Local
TypeScript
VeyraX MCP

VeyraX MCP

Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.

Official
Featured
Local
graphlit-mcp-server

graphlit-mcp-server

The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.

Official
Featured
TypeScript
Kagi MCP Server

Kagi MCP Server

An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.

Official
Featured
Python
E2B

E2B

Using MCP to run code via e2b.

Official
Featured
Neon Database

Neon Database

MCP server for interacting with Neon Management API and databases

Official
Featured
Exa Search

Exa Search

A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.

Official
Featured
Qdrant Server

Qdrant Server

This repository is an example of how to create a MCP server for Qdrant, a vector search engine.

Official
Featured