Command Palette

Search for a command to run...

UnylyUnyly
Весь каталог

SIFTGuard

БесплатноНе проверен

Enables autonomous digital forensics and incident response by wrapping SIFT Workstation tools as MCP tools and orchestrating a multi-agent AI pipeline for evide

GitHubEmbed

Описание

Enables autonomous digital forensics and incident response by wrapping SIFT Workstation tools as MCP tools and orchestrating a multi-agent AI pipeline for evidence analysis and remediation planning.

README

Python 3.11+ License: MIT FIND EVIL! 2026

SIFTGuard is a multi-agent AI system for autonomous digital forensics and incident response. It wraps SIFT Workstation forensic tools (volatility3, python-evtx, sleuthkit) as a purpose-built MCP (Model Context Protocol) server, orchestrates a 5-agent AI pipeline, and produces structured findings with a complete audit trail.

FIND EVIL! Hackathon 2026 — Track: Custom MCP Server + Multi-Agent Pipeline on SIFT Workstation


Architecture

SIFTGuard Architecture

Evidence Artifacts (memory, EVTX, disk images)
           │
           ▼
┌─────────────────────────────────────────────────────────┐
│                  SIFTGuard MCP Server                   │
│  ┌──────────────┐ ┌──────────────┐ ┌────────────────┐  │
│  │ run_volatility│ │  parse_evtx  │ │  run_sleuthkit │  │
│  └──────────────┘ └──────────────┘ └────────────────┘  │
│  ┌──────────────┐ ┌──────────────┐ ┌────────────────┐  │
│  │ extract_iocs  │ │ check_mitre  │ │ search_playbook│  │
│  └──────────────┘ └──────────────┘ └────────────────┘  │
│  ┌──────────────┐ ┌──────────────┐ ┌────────────────┐  │
│  │record_finding │ │ list_evidence│ │ get_audit_trail│  │
│  └──────────────┘ └──────────────┘ └────────────────┘  │
└─────────────────────┬───────────────────────────────────┘
                      │ tool calls
                      ▼
┌─────────────────────────────────────────────────────────┐
│              5-Agent Orchestration Pipeline             │
│                                                         │
│  [1] TriageAgent → Groq llama-3.3-70b                  │
│       ↓ threat classification, playbook selection       │
│  [2] AnalyzerAgent → MCP tools (volatility+evtx+tsk)   │
│       ↓ deep forensic analysis, finding extraction      │
│  [3] SelfCorrectionAgent → wraps all tool calls         │
│       ↓ autonomous retry with alternative strategies    │
│  [4] PlannerAgent → Groq + RAG over DFIR playbooks     │
│       ↓ prioritized containment/eradication plan        │
│  [5] ExecutorAgent → Human-in-the-Loop gate             │
│       ↓ approval + safe execution                       │
└─────────────────────────────────────────────────────────┘
                      │
                      ▼
         Findings + Audit Trail + Report

8 MCP Tools

Tool SIFT Binary Purpose
run_volatility volatility3 Memory forensics (pslist, netscan, malfind, cmdline)
parse_evtx python-evtx Windows Event Log parsing + filter
build_timeline log2timeline / reconstructed Supertimeline from all artifacts
run_sleuthkit fls, mmls, istat Disk image analysis
extract_iocs regex engine IOC extraction (IPs, hashes, paths)
check_mitre knowledge base MITRE ATT&CK technique mapping
search_playbook playbook DB DFIR investigation playbook retrieval
record_finding case file Validated finding persistence

Quickstart

1. Clone and Setup

git clone https://github.com/sodiq-code/siftguard
cd siftguard
bash scripts/setup.sh

2. Configure

cp .env.example .env
# Edit .env — add your GROQ_API_KEY

3. Add Evidence

# Place your forensic artifacts:
data/evidence/memory/    ← memory dumps (.mem, .raw, .dmp)
data/evidence/logs/      ← EVTX logs (.evtx)
data/evidence/disk/      ← disk images (.E01, .dd)

4. Run Full Pipeline

source .venv/bin/activate
python main.py

5. Run with Custom Indicators

python main.py --indicators "Suspicious process on port 4444, possible reverse shell"

6. Interactive Mode (real human approval)

python main.py --interactive

Pipeline Stages

Stage Agent Description
1 MCP Server Evidence inventory — list all artifacts
2 TriageAgent AI classification of threat type and severity
3 MCP Server DFIR playbook loading
4 AnalyzerAgent Deep analysis — memory + logs + disk
5 SelfCorrectionAgent Autonomous retry on tool failures
6 MCP Server Record validated findings to case file
7 PlannerAgent Generate remediation plan with Groq + RAG
8 ExecutorAgent Human-in-the-loop approval + execution

Forensic Integrity Note: The ExecutorAgent generates remediation commands targeting the compromised host — the SIFT Workstation environment remains strictly read-only throughout the entire investigation. No evidence is modified.


Self-Correction System

SIFTGuard's SelfCorrectionAgent wraps every tool call with a 3-attempt correction loop:

Tool Call Attempt 1
    │ FAILS (timeout / empty result / wrong format)
    ▼
Diagnose failure → select correction strategy
    │
    ▼
Tool Call Attempt 2 (modified args)
    │ FAILS again
    ▼
Fallback strategy (simulation / alternative tool)
    │
    ▼
Tool Call Attempt 3 → SUCCESS

All correction events are logged to the audit trail. Demonstrated live in the demo video.


Output Files

After running, SIFTGuard produces:

data/cases/
├── report_YYYYMMDD_HHMMSS.json     # Full investigation report
├── audit_YYYYMMDD_HHMMSS.json      # Tool call audit trail
└── findings.jsonl                  # All recorded findings (one per line)

Accuracy Metrics

Generate accuracy report vs. ground truth:

python -c "
from tools.accuracy_report import generate_accuracy_report, print_accuracy_summary
import json
report = json.load(open('data/cases/report_LATEST.json'))
acc = generate_accuracy_report(report, 'data/cases/accuracy.json')
print_accuracy_summary(acc)
"

Dataset

Evidence analyzed: SANS FIND EVIL! provided forensic image

  • Memory dump: Windows 10 victim system
  • Event logs: Security.evtx, System.evtx
  • Disk image: E01 format

Dataset documentation: docs/DATASET.md


Demo Video

4m 11s elite demo — 9-scene animated production video: intro, problem statement, solution overview, live pipeline execution (terminal), EVTX deep-dive, MITRE ATT&CK mapping, audit trail, architecture, and outro. Narrated with full VO + background music.

SIFTGuard Demo Video

What the demo covers:

  • Stage 1 — Evidence inventory (4 artifacts discovered)
  • Stage 2 — Groq AI triage in 0.3s, playbook selected
  • Stage 4 — Deep forensic analysis: volatility3, EVTX parsing, IOC extraction
  • Self-Correction Engine — 2 autonomous retries, zero human intervention (Evaluation Criterion #1)
  • Stage 5 — Findings + prioritized remediation plan (3 critical, 2 high severity)
  • Stage 6 — Human-in-the-Loop approval gate (Evaluation Criterion #4)
  • Stage 7 — Audit trail + JSON report (Evaluation Criterion #5)

Submission Components

# Component Location
1 Code Repository This repo
2 Demo Video ▶ Watch on YouTube (4m 11s)
3 Architecture Diagram docs/ARCHITECTURE.md
4 Written Description docs/DESCRIPTION.md
5 Dataset Documentation docs/DATASET.md
6 Accuracy Report docs/ACCURACY.md
7 Try-It-Out Instructions docs/HOWTO.md
8 Agent Execution Logs docs/EXECUTION_LOGS.md

Demo Screenshots

Real terminal output from a live pipeline run — no mocks, no edits.

Stage 1/8 — Evidence Inventory

Stage 1/8 - Evidence Inventory SIFTGuard ASCII banner + MCP server spin-up + evidence inventory across 3 incident cases (4e074085, a1b2c3d4, ff001122). Agent detects 4 evidence files across all cases.


Stages 2–3/8 — AI Triage + Playbook Load

Stages 2-3/8 - Groq AI Triage Groq Llama-3.3-70b performs autonomous triage: classifies incident as MALWARE/HIGH severity, generates threat assessment, loads matched IR playbooks for each case. (Output truncated at right edge — full hypothesis text continues beyond screenshot width.)


Stage 4/8 — Self-Correction Event

Stage 4/8 - Self-Correction Agent detects a failed tool call mid-analysis, logs a SELF-CORRECTION event, retries with adjusted parameters. Two-attempt autonomous recovery with full audit logging.


Stage 5/8 — Deep Analysis + Finding Recording

Stage 5/8 - Findings AnalyzerAgent deep forensic pass: volatility3 memory scan, EVTX log parsing, IOC extraction. 3 high-confidence findings recorded to case file (C2 beaconing, credential theft, lateral movement).


Stages 6–7/8 — Remediation Plan + HITL Gate

Stages 6-7/8 - Remediation Execution PlannerAgent generates ranked remediation plan; ExecutorAgent surfaces it through the Human-in-the-Loop approval gate before executing 5 actions: Block C2 IP, Remove Malicious Service, Restore System, Isolate Host, Remove Scheduled Task.


Stage 8/8 — Audit Trail + Investigation Complete

Stage 8/8 - Investigation Complete Full pipeline summary: 3 cases processed, 3 findings confirmed, 5 remediation actions executed, structured audit trail written. Total runtime captured.


License

MIT License — Copyright 2026 Sodiq Jimoh

from github.com/sodiq-code/siftguard

Установка SIFTGuard

У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.

▸ github.com/sodiq-code/siftguard

FAQ

SIFTGuard MCP бесплатный?

Да, SIFTGuard MCP бесплатный — установка в пару кликов через Unyly без оплаты.

Нужен ли API-ключ для SIFTGuard?

Нет, SIFTGuard работает без API-ключей и переменных окружения.

SIFTGuard — hosted или self-hosted?

Self-hosted: сервер запускается локально на твоей машине командой из раздела установки.

Как установить SIFTGuard в Claude Desktop, Claude Code или Cursor?

Открой SIFTGuard на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.

Похожие MCP

Compare SIFTGuard with

Не уверен что выбрать?

Найди свой стек за 60 секунд

Автор?

Embed-бейдж для README

Похожее

Все в категории ai