sift-forensic-mcp
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@sift-forensic-mcpinvestigate the VANKO disk image"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
FIND EVIL! — SIFT Forensic AI Agent
Autonomous incident response agent that mounts a 119 GB forensic disk image, hunts malware and anti-forensics through 18 MCP tools on a SIFT Workstation VM, and writes a courtroom-ready report — with no human in the loop.
Demo video: https://youtu.be/ySjuSR9AP3Q
License: MIT
Architecture pattern: Custom MCP Server
What it does
The agent receives a single prompt ("investigate the VANKO disk image") and autonomously:
Mounts the EWF forensic image read-only via
ewfmount+ntfs-3gEnumerates users, recent files, and installed software
Scans for suspicious executables in
%TEMP%,%AppData%, andDownloadsParses the Windows registry for persistence mechanisms
Extracts and correlates Windows Event Log logon events
Runs YARA malware signatures across the image
Identifies Prefetch artifacts proving anti-forensic tool execution
Produces
findings/findings_report.jsonwith confidence-scored IOCs
On the VANKO case it found 8 confirmed findings including WiFi packet capture, evidence destruction (SDelete), an encrypted volume (VeraCrypt FORMAT confirmed), a typosquatted RAT, and identified the subject as anthony.vanko@gmail.com.
Related MCP server: Sift MCP (Docker edition)
Architecture
┌──────────────────────────────────────────────────────────┐
│ Windows Host (analyst workstation) │
│ │
│ orchestrator.py ←→ gpt-5.4-mini (OpenAI-compat API) │
│ │ │
│ sift-forensic-mcp (18 MCP tools, stdio transport) │
│ │ asyncssh (TCP 22) │
└────────┼─────────────────────────────────────────────────┘
│
┌────────▼─────────────────────────────────────────────────┐
│ SIFT Workstation 2026 VM (Ubuntu 22.04, VMware NAT) │
│ │
│ /cases/VANKO/surface_physical.E01 │
│ ewfmount → /mnt/ewf/ewf1 │
│ kpartx → /dev/mapper/loop0p3 │
│ ntfs-3g → /mnt/windows/ (READ-ONLY) │
│ │
│ SIFT tools: ewfmount, log2timeline, yara, │
│ regripper, python-evtx, strings, file │
└──────────────────────────────────────────────────────────┘See docs/architecture.md for the full tool inventory and security boundary breakdown.
Prerequisites
Windows 10/11 host with VMware Workstation Pro 17+
Python 3.10+
OpenAI-compatible API key (or set
OPENAI_BASE_URLto a local endpoint)~150 GB free disk space (119 GB evidence + SIFT VM)
8 GB+ RAM (16 GB recommended)
Quick start
1. Clone and install
git clone https://github.com/OLGTX303/find-evil-sift-agent
cd find-evil-sift-agent
pip install -e .2. Import the SIFT Workstation VM
$ovftool = "C:\Program Files (x86)\VMware\VMware Workstation\OVFTool\ovftool.exe"
& $ovftool --acceptAllEulas --name="SIFT-2026" sift-2026-04-22.ova F:\SIFT-VM\3. Place evidence files
find\VANKO\surface_physical.E01 (through .E21)
find\VANKO\vanko-c-drive.CYLR.7z4. Start and configure the SIFT VM
python setup_sift_vm.py
# Starts the VM, enables SSH, copies evidence — prints the VM IP at the end5. Set environment variables
$env:OPENAI_API_KEY = "sk-..."
$env:OPENAI_BASE_URL = "https://api.openai.com/v1" # or your endpoint
$env:SIFT_HOST = "192.168.x.x" # from setup_sift_vm.py
$env:SIFT_PORT = "22"
$env:SIFT_USER = "sansforensics"
$env:SIFT_PASS = "forensics"
$env:EVIDENCE_DIR = "/cases/VANKO"6. Run the investigation
python orchestrator.py --output-dir ./findingsThe agent prints reasoning and tool calls to stderr in real time.
Investigation takes 15–30 minutes (log2timeline on 119 GB runs in background).
7. Review results
# Structured findings report
cat findings/findings_report.json
# Full timestamped audit trail
cat findings/agent_execution_log.jsonlMCP server (standalone — use with Claude Code)
# Register the MCP server in Claude Code
claude mcp add sift-forensic \
-e SIFT_HOST=192.168.x.x \
-e SIFT_PORT=22 \
-e SIFT_USER=sansforensics \
-e SIFT_PASS=forensics \
-- sift-mcp
# Then in Claude Code:
# "Mount the VANKO image and find evil"Repository layout
sift-agent/
├── orchestrator.py ← Autonomous IR agent (gpt-5.4-mini)
├── setup_sift_vm.py ← One-time VM setup
├── pyproject.toml
├── LICENSE ← MIT
├── src/sift_mcp/
│ ├── server.py ← MCP server (stdio transport)
│ ├── tools.py ← 18 forensic tool implementations
│ └── ssh_client.py ← asyncssh helper with sudo support
├── findings/
│ ├── findings_report.json ← Structured IOC report
│ └── agent_execution_log.jsonl ← Full timestamped audit trail
├── demo/
│ ├── demo_find_evil.mp4 ← Narrated demo video (local copy)
│ ├── mcp_session.json ← Real captured tool output
│ └── cover_3x2.png ← Devpost thumbnail (1200×800)
└── docs/
├── architecture.md ← Component diagram + security boundaries
├── accuracy_report.md ← Finding accuracy + false positive analysis
├── dataset.md ← Evidence dataset documentation
└── try-it-out.md ← Judges guideDocs
Document | Contents |
Component diagram, tool inventory, security boundaries, guardrails | |
8 findings vs ground truth, false positives, evidence integrity | |
VANKO case dataset, provenance, integrity hashes | |
Step-by-step judges guide with troubleshooting |
License
MIT — see LICENSE.
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/OLGTX303/find-evil-sift-agent'
If you have feedback or need assistance with the MCP directory API, please join our Discord server