DeepSIFT
DeepSIFT is an MCP server that wraps SANS SIFT Workstation forensic tools with structured JSON output and RAG threat intelligence, reducing LLM hallucinations in autonomous incident response.
README
DeepSIFT
AI-Driven Forensic Analysis with Zero Hallucinations
DeepSIFT is a Python MCP (Model Context Protocol) middleware server that wraps SANS SIFT Workstation forensic tools, dramatically reducing LLM hallucinations in autonomous AI-driven incident response.
Built for the Find Evil! Hackathon hosted by SANS DFIR.
The Problem
Protocol SIFT connects Claude Code to SIFT Workstation but hallucinates more than acceptable:
| Protocol SIFT Problem | DeepSIFT Solution |
|---|---|
| Raw Volatility output (10k+ lines) dumped into context | Python parsers convert output to structured JSON first |
Generic execute_shell_cmd — agent guesses plugin names |
Typed MCP functions — one function per tool action |
| Prompt-only safety ("never modify evidence") | Architectural enforcement — zero write ops on evidence paths |
| No threat intelligence context | RAG pipeline injects MITRE ATT&CK + IOCs into every finding |
Architecture
Claude Code (autonomous execution engine)
↓ calls typed MCP functions
DeepSIFT MCP Server ←── RAG Pipeline (ChromaDB + MITRE ATT&CK)
↓ executes and parses raw output
SIFT Tools (volatility, log2timeline, sleuthkit, yara, ez tools)
↑ structured JSON returned — raw text never reaches LLM
Available MCP Tools
Memory Forensics (Volatility 3)
| Tool | Description |
|---|---|
get_process_list |
Process list with Hunt Evil baseline comparison |
find_injected_code |
Malfind with injection type classification |
get_network_connections |
Netscan with external IP flagging |
get_command_history |
Cmdline with suspicious pattern detection |
get_loaded_dlls |
DLL list with path-based suspicion scoring |
get_registry_hives |
Registry hive list from memory |
get_registry_key |
Read specific registry key values |
get_handles |
Open handles (files, mutexes, pipes) |
finish_analysis |
Save final structured findings |
Timeline (log2timeline / Plaso)
| Tool | Description |
|---|---|
create_super_timeline |
Create Plaso storage from disk image |
filter_timeline |
Extract events for a time window |
get_browser_history |
WEBHIST events only |
Disk Forensics (Sleuth Kit)
| Tool | Description |
|---|---|
get_partition_table |
Partition layout via mmls |
get_file_listing |
File system tree via fls |
extract_file |
Extract file by inode via icat |
search_deleted_files |
Deleted/unallocated files |
YARA Hunting
| Tool | Description |
|---|---|
scan_file_with_yara |
Scan file with rule set |
scan_memory_with_yara |
Scan memory image via yarascan |
list_yara_rule_sets |
Show available rules |
Windows Artifacts (EZ Tools)
| Tool | Description |
|---|---|
parse_prefetch |
Program execution history |
parse_lnk_files |
Recent file access |
parse_jump_lists |
Application recent items |
parse_registry_hive |
Offline hive parsing |
lookup_ip_reputation |
AbuseIPDB + VirusTotal |
Prerequisites
- SANS SIFT Workstation (Ubuntu x86-64)
- Python 3.10+
- Volatility 3 (
python3 -m volatility3) - log2timeline / Plaso (
log2timeline.py,psort.py) - The Sleuth Kit (
fls,mmls,icat) - YARA
- EZ Tools at
/opt/zimmermantools/(optional — Windows artifact tools)
Installation
# Clone the repo
git clone https://github.com/ahammadshawki8/DeepSIFT.git
cd DeepSIFT
# Install Python dependencies
pip3 install -r requirements.txt
# Configure environment
cp .env.example .env
nano .env # Add your API keys and verify tool paths
# Initialize RAG knowledge base (downloads ~100MB MITRE ATT&CK JSON)
python3 rag/ingest/mitre_attack.py
# Run tests to verify parsers work
pytest tests/ -v
Quick Start — Investigate a Memory Image
Option A: Use with Claude Code (Recommended)
- Add to your Claude Code MCP configuration:
{
"mcpServers": {
"deepsift": {
"command": "python3",
"args": ["/path/to/DeepSIFT/mcp_server/server.py"]
}
}
}
- Start an investigation:
Investigate /cases/ROCBA/Rocba-Memory.raw for signs of unauthorized access
on or after November 13, 2020.
Claude will automatically call get_process_list → find_injected_code →
get_network_connections → finish_analysis and produce a structured report.
Option B: Multi-Agent Orchestrator (LangGraph)
python3 agents/orchestrator.py --image /cases/ROCBA/Rocba-Memory.raw --case-dir /cases/ROCBA
Run Benchmark
Compare DeepSIFT against Protocol SIFT baseline:
python3 benchmark/runner.py \
--baseline /cases/ROCBA-BASELINE \
--ours /cases/ROCBA-DEEPSIFT \
--ground-truth benchmark/ground_truth/rocba_ground_truth.json \
--output docs/accuracy_report.md
Configuration
Copy .env.example to .env:
ANTHROPIC_API_KEY=your_key_here
VIRUSTOTAL_API_KEY=your_key_here # optional — enables IP reputation
ABUSEIPDB_API_KEY=your_key_here # optional — enables IP reputation
# Override tool paths if different from SIFT defaults
VOLATILITY_CMD=python3 -m volatility3
LOG2TIMELINE_CMD=log2timeline.py
EZ_TOOLS_DIR=/opt/zimmermantools
# Case directories
CASE_DIR=/cases
EXPORTS_DIR=./exports
ANALYSIS_DIR=./analysis
Chain of Custody
Every tool execution is logged to analysis/forensic_audit.log:
{
"timestamp": "2026-06-10T12:34:56.789Z",
"tool": "get_process_list",
"command": "python3 -m volatility3 -f /cases/ROCBA/Rocba-Memory.raw windows.pslist",
"raw_output_sha256": "abc123...",
"raw_output_file": "./exports/get_process_list_2026-06-10T12-34-56.txt"
}
Raw outputs are preserved in exports/ for audit trail purposes.
License
MIT License — see LICENSE
Acknowledgments
- SANS DFIR — SIFT Workstation and FOR508 Hunt Evil poster
- MITRE ATT&CK — threat intelligence framework
- Protocol SIFT — baseline this project improves upon
- Volatility Foundation — Volatility 3
推荐服务器
Baidu Map
百度地图核心API现已全面兼容MCP协议,是国内首家兼容MCP协议的地图服务商。
Playwright MCP Server
一个模型上下文协议服务器,它使大型语言模型能够通过结构化的可访问性快照与网页进行交互,而无需视觉模型或屏幕截图。
Magic Component Platform (MCP)
一个由人工智能驱动的工具,可以从自然语言描述生成现代化的用户界面组件,并与流行的集成开发环境(IDE)集成,从而简化用户界面开发流程。
Audiense Insights MCP Server
通过模型上下文协议启用与 Audiense Insights 账户的交互,从而促进营销洞察和受众数据的提取和分析,包括人口统计信息、行为和影响者互动。
VeyraX
一个单一的 MCP 工具,连接你所有喜爱的工具:Gmail、日历以及其他 40 多个工具。
graphlit-mcp-server
模型上下文协议 (MCP) 服务器实现了 MCP 客户端与 Graphlit 服务之间的集成。 除了网络爬取之外,还可以将任何内容(从 Slack 到 Gmail 再到播客订阅源)导入到 Graphlit 项目中,然后从 MCP 客户端检索相关内容。
Kagi MCP Server
一个 MCP 服务器,集成了 Kagi 搜索功能和 Claude AI,使 Claude 能够在回答需要最新信息的问题时执行实时网络搜索。
e2b-mcp-server
使用 MCP 通过 e2b 运行代码。
Neon MCP Server
用于与 Neon 管理 API 和数据库交互的 MCP 服务器
Exa MCP Server
模型上下文协议(MCP)服务器允许像 Claude 这样的 AI 助手使用 Exa AI 搜索 API 进行网络搜索。这种设置允许 AI 模型以安全和受控的方式获取实时的网络信息。