sift-forensic-mcp
Enables autonomous forensic investigation of disk images by mounting evidence, scanning for malware, and generating courtroom-ready reports using SIFT Workstation tools.
README
FIND EVIL! — SIFT Forensic AI Agent
Autonomous incident response agent that mounts a 119 GB forensic disk image, hunts malware and anti-forensics through 18 MCP tools on a SIFT Workstation VM, and writes a courtroom-ready report — with no human in the loop.
Demo video: https://youtu.be/ySjuSR9AP3Q
License: MIT
Architecture pattern: Custom MCP Server
What it does
The agent receives a single prompt ("investigate the VANKO disk image") and autonomously:
- Mounts the EWF forensic image read-only via
ewfmount+ntfs-3g - Enumerates users, recent files, and installed software
- Scans for suspicious executables in
%TEMP%,%AppData%, andDownloads - Parses the Windows registry for persistence mechanisms
- Extracts and correlates Windows Event Log logon events
- Runs YARA malware signatures across the image
- Identifies Prefetch artifacts proving anti-forensic tool execution
- Produces
findings/findings_report.jsonwith confidence-scored IOCs
On the VANKO case it found 8 confirmed findings including WiFi packet capture, evidence destruction (SDelete), an encrypted volume (VeraCrypt FORMAT confirmed), a typosquatted RAT, and identified the subject as anthony.vanko@gmail.com.
Architecture
┌──────────────────────────────────────────────────────────┐
│ Windows Host (analyst workstation) │
│ │
│ orchestrator.py ←→ gpt-5.4-mini (OpenAI-compat API) │
│ │ │
│ sift-forensic-mcp (18 MCP tools, stdio transport) │
│ │ asyncssh (TCP 22) │
└────────┼─────────────────────────────────────────────────┘
│
┌────────▼─────────────────────────────────────────────────┐
│ SIFT Workstation 2026 VM (Ubuntu 22.04, VMware NAT) │
│ │
│ /cases/VANKO/surface_physical.E01 │
│ ewfmount → /mnt/ewf/ewf1 │
│ kpartx → /dev/mapper/loop0p3 │
│ ntfs-3g → /mnt/windows/ (READ-ONLY) │
│ │
│ SIFT tools: ewfmount, log2timeline, yara, │
│ regripper, python-evtx, strings, file │
└──────────────────────────────────────────────────────────┘
See docs/architecture.md for the full tool inventory and security boundary breakdown.
Prerequisites
- Windows 10/11 host with VMware Workstation Pro 17+
- Python 3.10+
- OpenAI-compatible API key (or set
OPENAI_BASE_URLto a local endpoint) - ~150 GB free disk space (119 GB evidence + SIFT VM)
- 8 GB+ RAM (16 GB recommended)
Quick start
1. Clone and install
git clone https://github.com/OLGTX303/find-evil-sift-agent
cd find-evil-sift-agent
pip install -e .
2. Import the SIFT Workstation VM
$ovftool = "C:\Program Files (x86)\VMware\VMware Workstation\OVFTool\ovftool.exe"
& $ovftool --acceptAllEulas --name="SIFT-2026" sift-2026-04-22.ova F:\SIFT-VM\
3. Place evidence files
find\VANKO\surface_physical.E01 (through .E21)
find\VANKO\vanko-c-drive.CYLR.7z
4. Start and configure the SIFT VM
python setup_sift_vm.py
# Starts the VM, enables SSH, copies evidence — prints the VM IP at the end
5. Set environment variables
$env:OPENAI_API_KEY = "sk-..."
$env:OPENAI_BASE_URL = "https://api.openai.com/v1" # or your endpoint
$env:SIFT_HOST = "192.168.x.x" # from setup_sift_vm.py
$env:SIFT_PORT = "22"
$env:SIFT_USER = "sansforensics"
$env:SIFT_PASS = "forensics"
$env:EVIDENCE_DIR = "/cases/VANKO"
6. Run the investigation
python orchestrator.py --output-dir ./findings
The agent prints reasoning and tool calls to stderr in real time.
Investigation takes 15–30 minutes (log2timeline on 119 GB runs in background).
7. Review results
# Structured findings report
cat findings/findings_report.json
# Full timestamped audit trail
cat findings/agent_execution_log.jsonl
MCP server (standalone — use with Claude Code)
# Register the MCP server in Claude Code
claude mcp add sift-forensic \
-e SIFT_HOST=192.168.x.x \
-e SIFT_PORT=22 \
-e SIFT_USER=sansforensics \
-e SIFT_PASS=forensics \
-- sift-mcp
# Then in Claude Code:
# "Mount the VANKO image and find evil"
Repository layout
sift-agent/
├── orchestrator.py ← Autonomous IR agent (gpt-5.4-mini)
├── setup_sift_vm.py ← One-time VM setup
├── pyproject.toml
├── LICENSE ← MIT
├── src/sift_mcp/
│ ├── server.py ← MCP server (stdio transport)
│ ├── tools.py ← 18 forensic tool implementations
│ └── ssh_client.py ← asyncssh helper with sudo support
├── findings/
│ ├── findings_report.json ← Structured IOC report
│ └── agent_execution_log.jsonl ← Full timestamped audit trail
├── demo/
│ ├── demo_find_evil.mp4 ← Narrated demo video (local copy)
│ ├── mcp_session.json ← Real captured tool output
│ └── cover_3x2.png ← Devpost thumbnail (1200×800)
└── docs/
├── architecture.md ← Component diagram + security boundaries
├── accuracy_report.md ← Finding accuracy + false positive analysis
├── dataset.md ← Evidence dataset documentation
└── try-it-out.md ← Judges guide
Docs
| Document | Contents |
|---|---|
docs/architecture.md |
Component diagram, tool inventory, security boundaries, guardrails |
docs/accuracy_report.md |
8 findings vs ground truth, false positives, evidence integrity |
docs/dataset.md |
VANKO case dataset, provenance, integrity hashes |
docs/try-it-out.md |
Step-by-step judges guide with troubleshooting |
License
MIT — see LICENSE.
推荐服务器
Baidu Map
百度地图核心API现已全面兼容MCP协议,是国内首家兼容MCP协议的地图服务商。
Playwright MCP Server
一个模型上下文协议服务器,它使大型语言模型能够通过结构化的可访问性快照与网页进行交互,而无需视觉模型或屏幕截图。
Magic Component Platform (MCP)
一个由人工智能驱动的工具,可以从自然语言描述生成现代化的用户界面组件,并与流行的集成开发环境(IDE)集成,从而简化用户界面开发流程。
Audiense Insights MCP Server
通过模型上下文协议启用与 Audiense Insights 账户的交互,从而促进营销洞察和受众数据的提取和分析,包括人口统计信息、行为和影响者互动。
VeyraX
一个单一的 MCP 工具,连接你所有喜爱的工具:Gmail、日历以及其他 40 多个工具。
graphlit-mcp-server
模型上下文协议 (MCP) 服务器实现了 MCP 客户端与 Graphlit 服务之间的集成。 除了网络爬取之外,还可以将任何内容(从 Slack 到 Gmail 再到播客订阅源)导入到 Graphlit 项目中,然后从 MCP 客户端检索相关内容。
Kagi MCP Server
一个 MCP 服务器,集成了 Kagi 搜索功能和 Claude AI,使 Claude 能够在回答需要最新信息的问题时执行实时网络搜索。
e2b-mcp-server
使用 MCP 通过 e2b 运行代码。
Neon MCP Server
用于与 Neon 管理 API 和数据库交互的 MCP 服务器
Exa MCP Server
模型上下文协议(MCP)服务器允许像 Claude 这样的 AI 助手使用 Exa AI 搜索 API 进行网络搜索。这种设置允许 AI 模型以安全和受控的方式获取实时的网络信息。