DeepSIFT

DeepSIFT

DeepSIFT is an MCP server that wraps SANS SIFT Workstation forensic tools with structured JSON output and RAG threat intelligence, reducing LLM hallucinations in autonomous incident response.

Category
访问服务器

README

DeepSIFT

AI-Driven Forensic Analysis with Zero Hallucinations

DeepSIFT is a Python MCP (Model Context Protocol) middleware server that wraps SANS SIFT Workstation forensic tools, dramatically reducing LLM hallucinations in autonomous AI-driven incident response.

Built for the Find Evil! Hackathon hosted by SANS DFIR.


The Problem

Protocol SIFT connects Claude Code to SIFT Workstation but hallucinates more than acceptable:

Protocol SIFT Problem DeepSIFT Solution
Raw Volatility output (10k+ lines) dumped into context Python parsers convert output to structured JSON first
Generic execute_shell_cmd — agent guesses plugin names Typed MCP functions — one function per tool action
Prompt-only safety ("never modify evidence") Architectural enforcement — zero write ops on evidence paths
No threat intelligence context RAG pipeline injects MITRE ATT&CK + IOCs into every finding

Architecture

Claude Code (autonomous execution engine)
        ↓ calls typed MCP functions
DeepSIFT MCP Server  ←── RAG Pipeline (ChromaDB + MITRE ATT&CK)
        ↓ executes and parses raw output
SIFT Tools (volatility, log2timeline, sleuthkit, yara, ez tools)
        ↑ structured JSON returned — raw text never reaches LLM

Available MCP Tools

Memory Forensics (Volatility 3)

Tool Description
get_process_list Process list with Hunt Evil baseline comparison
find_injected_code Malfind with injection type classification
get_network_connections Netscan with external IP flagging
get_command_history Cmdline with suspicious pattern detection
get_loaded_dlls DLL list with path-based suspicion scoring
get_registry_hives Registry hive list from memory
get_registry_key Read specific registry key values
get_handles Open handles (files, mutexes, pipes)
finish_analysis Save final structured findings

Timeline (log2timeline / Plaso)

Tool Description
create_super_timeline Create Plaso storage from disk image
filter_timeline Extract events for a time window
get_browser_history WEBHIST events only

Disk Forensics (Sleuth Kit)

Tool Description
get_partition_table Partition layout via mmls
get_file_listing File system tree via fls
extract_file Extract file by inode via icat
search_deleted_files Deleted/unallocated files

YARA Hunting

Tool Description
scan_file_with_yara Scan file with rule set
scan_memory_with_yara Scan memory image via yarascan
list_yara_rule_sets Show available rules

Windows Artifacts (EZ Tools)

Tool Description
parse_prefetch Program execution history
parse_lnk_files Recent file access
parse_jump_lists Application recent items
parse_registry_hive Offline hive parsing
lookup_ip_reputation AbuseIPDB + VirusTotal

Prerequisites

  • SANS SIFT Workstation (Ubuntu x86-64)
  • Python 3.10+
  • Volatility 3 (python3 -m volatility3)
  • log2timeline / Plaso (log2timeline.py, psort.py)
  • The Sleuth Kit (fls, mmls, icat)
  • YARA
  • EZ Tools at /opt/zimmermantools/ (optional — Windows artifact tools)

Installation

# Clone the repo
git clone https://github.com/ahammadshawki8/DeepSIFT.git
cd DeepSIFT

# Install Python dependencies
pip3 install -r requirements.txt

# Configure environment
cp .env.example .env
nano .env  # Add your API keys and verify tool paths

# Initialize RAG knowledge base (downloads ~100MB MITRE ATT&CK JSON)
python3 rag/ingest/mitre_attack.py

# Run tests to verify parsers work
pytest tests/ -v

Quick Start — Investigate a Memory Image

Option A: Use with Claude Code (Recommended)

  1. Add to your Claude Code MCP configuration:
{
  "mcpServers": {
    "deepsift": {
      "command": "python3",
      "args": ["/path/to/DeepSIFT/mcp_server/server.py"]
    }
  }
}
  1. Start an investigation:
Investigate /cases/ROCBA/Rocba-Memory.raw for signs of unauthorized access
on or after November 13, 2020.

Claude will automatically call get_process_listfind_injected_codeget_network_connectionsfinish_analysis and produce a structured report.

Option B: Multi-Agent Orchestrator (LangGraph)

python3 agents/orchestrator.py --image /cases/ROCBA/Rocba-Memory.raw --case-dir /cases/ROCBA

Run Benchmark

Compare DeepSIFT against Protocol SIFT baseline:

python3 benchmark/runner.py \
  --baseline /cases/ROCBA-BASELINE \
  --ours /cases/ROCBA-DEEPSIFT \
  --ground-truth benchmark/ground_truth/rocba_ground_truth.json \
  --output docs/accuracy_report.md

Configuration

Copy .env.example to .env:

ANTHROPIC_API_KEY=your_key_here
VIRUSTOTAL_API_KEY=your_key_here      # optional — enables IP reputation
ABUSEIPDB_API_KEY=your_key_here       # optional — enables IP reputation

# Override tool paths if different from SIFT defaults
VOLATILITY_CMD=python3 -m volatility3
LOG2TIMELINE_CMD=log2timeline.py
EZ_TOOLS_DIR=/opt/zimmermantools

# Case directories
CASE_DIR=/cases
EXPORTS_DIR=./exports
ANALYSIS_DIR=./analysis

Chain of Custody

Every tool execution is logged to analysis/forensic_audit.log:

{
  "timestamp": "2026-06-10T12:34:56.789Z",
  "tool": "get_process_list",
  "command": "python3 -m volatility3 -f /cases/ROCBA/Rocba-Memory.raw windows.pslist",
  "raw_output_sha256": "abc123...",
  "raw_output_file": "./exports/get_process_list_2026-06-10T12-34-56.txt"
}

Raw outputs are preserved in exports/ for audit trail purposes.


License

MIT License — see LICENSE


Acknowledgments

推荐服务器

Baidu Map

Baidu Map

百度地图核心API现已全面兼容MCP协议,是国内首家兼容MCP协议的地图服务商。

官方
精选
JavaScript
Playwright MCP Server

Playwright MCP Server

一个模型上下文协议服务器,它使大型语言模型能够通过结构化的可访问性快照与网页进行交互,而无需视觉模型或屏幕截图。

官方
精选
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

一个由人工智能驱动的工具,可以从自然语言描述生成现代化的用户界面组件,并与流行的集成开发环境(IDE)集成,从而简化用户界面开发流程。

官方
精选
本地
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

通过模型上下文协议启用与 Audiense Insights 账户的交互,从而促进营销洞察和受众数据的提取和分析,包括人口统计信息、行为和影响者互动。

官方
精选
本地
TypeScript
VeyraX

VeyraX

一个单一的 MCP 工具,连接你所有喜爱的工具:Gmail、日历以及其他 40 多个工具。

官方
精选
本地
graphlit-mcp-server

graphlit-mcp-server

模型上下文协议 (MCP) 服务器实现了 MCP 客户端与 Graphlit 服务之间的集成。 除了网络爬取之外,还可以将任何内容(从 Slack 到 Gmail 再到播客订阅源)导入到 Graphlit 项目中,然后从 MCP 客户端检索相关内容。

官方
精选
TypeScript
Kagi MCP Server

Kagi MCP Server

一个 MCP 服务器,集成了 Kagi 搜索功能和 Claude AI,使 Claude 能够在回答需要最新信息的问题时执行实时网络搜索。

官方
精选
Python
e2b-mcp-server

e2b-mcp-server

使用 MCP 通过 e2b 运行代码。

官方
精选
Neon MCP Server

Neon MCP Server

用于与 Neon 管理 API 和数据库交互的 MCP 服务器

官方
精选
Exa MCP Server

Exa MCP Server

模型上下文协议(MCP)服务器允许像 Claude 这样的 AI 助手使用 Exa AI 搜索 API 进行网络搜索。这种设置允许 AI 模型以安全和受控的方式获取实时的网络信息。

官方
精选