sift-forensic-mcp

sift-forensic-mcp

Enables autonomous forensic investigation of disk images by mounting evidence, scanning for malware, and generating courtroom-ready reports using SIFT Workstation tools.

Category
Visit Server

README

FIND EVIL! — SIFT Forensic AI Agent

Autonomous incident response agent that mounts a 119 GB forensic disk image, hunts malware and anti-forensics through 18 MCP tools on a SIFT Workstation VM, and writes a courtroom-ready report — with no human in the loop.

Demo video: https://youtu.be/ySjuSR9AP3Q
License: MIT
Architecture pattern: Custom MCP Server

What it does

The agent receives a single prompt ("investigate the VANKO disk image") and autonomously:

  1. Mounts the EWF forensic image read-only via ewfmount + ntfs-3g
  2. Enumerates users, recent files, and installed software
  3. Scans for suspicious executables in %TEMP%, %AppData%, and Downloads
  4. Parses the Windows registry for persistence mechanisms
  5. Extracts and correlates Windows Event Log logon events
  6. Runs YARA malware signatures across the image
  7. Identifies Prefetch artifacts proving anti-forensic tool execution
  8. Produces findings/findings_report.json with confidence-scored IOCs

On the VANKO case it found 8 confirmed findings including WiFi packet capture, evidence destruction (SDelete), an encrypted volume (VeraCrypt FORMAT confirmed), a typosquatted RAT, and identified the subject as anthony.vanko@gmail.com.

Architecture

┌──────────────────────────────────────────────────────────┐
│  Windows Host (analyst workstation)                       │
│                                                           │
│  orchestrator.py  ←→  gpt-5.4-mini (OpenAI-compat API)   │
│        │                                                  │
│  sift-forensic-mcp  (18 MCP tools, stdio transport)       │
│        │  asyncssh (TCP 22)                               │
└────────┼─────────────────────────────────────────────────┘
         │
┌────────▼─────────────────────────────────────────────────┐
│  SIFT Workstation 2026 VM  (Ubuntu 22.04, VMware NAT)     │
│                                                           │
│  /cases/VANKO/surface_physical.E01                        │
│       ewfmount → /mnt/ewf/ewf1                            │
│       kpartx   → /dev/mapper/loop0p3                      │
│       ntfs-3g  → /mnt/windows/  (READ-ONLY)               │
│                                                           │
│  SIFT tools: ewfmount, log2timeline, yara,                │
│              regripper, python-evtx, strings, file        │
└──────────────────────────────────────────────────────────┘

See docs/architecture.md for the full tool inventory and security boundary breakdown.

Prerequisites

  • Windows 10/11 host with VMware Workstation Pro 17+
  • Python 3.10+
  • OpenAI-compatible API key (or set OPENAI_BASE_URL to a local endpoint)
  • ~150 GB free disk space (119 GB evidence + SIFT VM)
  • 8 GB+ RAM (16 GB recommended)

Quick start

1. Clone and install

git clone https://github.com/OLGTX303/find-evil-sift-agent
cd find-evil-sift-agent
pip install -e .

2. Import the SIFT Workstation VM

$ovftool = "C:\Program Files (x86)\VMware\VMware Workstation\OVFTool\ovftool.exe"
& $ovftool --acceptAllEulas --name="SIFT-2026" sift-2026-04-22.ova F:\SIFT-VM\

3. Place evidence files

find\VANKO\surface_physical.E01  (through .E21)
find\VANKO\vanko-c-drive.CYLR.7z

4. Start and configure the SIFT VM

python setup_sift_vm.py
# Starts the VM, enables SSH, copies evidence — prints the VM IP at the end

5. Set environment variables

$env:OPENAI_API_KEY    = "sk-..."
$env:OPENAI_BASE_URL   = "https://api.openai.com/v1"   # or your endpoint
$env:SIFT_HOST         = "192.168.x.x"   # from setup_sift_vm.py
$env:SIFT_PORT         = "22"
$env:SIFT_USER         = "sansforensics"
$env:SIFT_PASS         = "forensics"
$env:EVIDENCE_DIR      = "/cases/VANKO"

6. Run the investigation

python orchestrator.py --output-dir ./findings

The agent prints reasoning and tool calls to stderr in real time.
Investigation takes 15–30 minutes (log2timeline on 119 GB runs in background).

7. Review results

# Structured findings report
cat findings/findings_report.json

# Full timestamped audit trail
cat findings/agent_execution_log.jsonl

MCP server (standalone — use with Claude Code)

# Register the MCP server in Claude Code
claude mcp add sift-forensic \
  -e SIFT_HOST=192.168.x.x \
  -e SIFT_PORT=22 \
  -e SIFT_USER=sansforensics \
  -e SIFT_PASS=forensics \
  -- sift-mcp

# Then in Claude Code:
# "Mount the VANKO image and find evil"

Repository layout

sift-agent/
├── orchestrator.py          ← Autonomous IR agent (gpt-5.4-mini)
├── setup_sift_vm.py         ← One-time VM setup
├── pyproject.toml
├── LICENSE                  ← MIT
├── src/sift_mcp/
│   ├── server.py            ← MCP server (stdio transport)
│   ├── tools.py             ← 18 forensic tool implementations
│   └── ssh_client.py        ← asyncssh helper with sudo support
├── findings/
│   ├── findings_report.json         ← Structured IOC report
│   └── agent_execution_log.jsonl    ← Full timestamped audit trail
├── demo/
│   ├── demo_find_evil.mp4           ← Narrated demo video (local copy)
│   ├── mcp_session.json             ← Real captured tool output
│   └── cover_3x2.png                ← Devpost thumbnail (1200×800)
└── docs/
    ├── architecture.md      ← Component diagram + security boundaries
    ├── accuracy_report.md   ← Finding accuracy + false positive analysis
    ├── dataset.md           ← Evidence dataset documentation
    └── try-it-out.md        ← Judges guide

Docs

Document Contents
docs/architecture.md Component diagram, tool inventory, security boundaries, guardrails
docs/accuracy_report.md 8 findings vs ground truth, false positives, evidence integrity
docs/dataset.md VANKO case dataset, provenance, integrity hashes
docs/try-it-out.md Step-by-step judges guide with troubleshooting

License

MIT — see LICENSE.

Recommended Servers

playwright-mcp

playwright-mcp

A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.

Official
Featured
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.

Official
Featured
Local
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.

Official
Featured
Local
TypeScript
VeyraX MCP

VeyraX MCP

Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.

Official
Featured
Local
graphlit-mcp-server

graphlit-mcp-server

The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.

Official
Featured
TypeScript
Kagi MCP Server

Kagi MCP Server

An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.

Official
Featured
Python
E2B

E2B

Using MCP to run code via e2b.

Official
Featured
Neon Database

Neon Database

MCP server for interacting with Neon Management API and databases

Official
Featured
Exa Search

Exa Search

A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.

Official
Featured
Qdrant Server

Qdrant Server

This repository is an example of how to create a MCP server for Qdrant, a vector search engine.

Official
Featured