sift-forensic-mcp
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@sift-forensic-mcpinvestigate the VANKO disk image"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
FIND EVIL! — SIFT Forensic AI Agent
Autonomous incident response agent that mounts a 119 GB forensic disk image, hunts malware and anti-forensics through 18 MCP tools on a SIFT Workstation VM, and writes a courtroom-ready report — with no human in the loop.
Demo video: https://youtu.be/ySjuSR9AP3Q
License: MIT
Architecture pattern: Custom MCP Server
What it does
The agent receives a single prompt ("investigate the VANKO disk image") and autonomously:
Mounts the EWF forensic image read-only via
ewfmount+ntfs-3gEnumerates users, recent files, and installed software
Scans for suspicious executables in
%TEMP%,%AppData%, andDownloadsParses the Windows registry for persistence mechanisms
Extracts and correlates Windows Event Log logon events
Runs YARA malware signatures across the image
Identifies Prefetch artifacts proving anti-forensic tool execution
Produces
findings/findings_report.jsonwith confidence-scored IOCs
On the VANKO case it found 8 confirmed findings including WiFi packet capture, evidence destruction (SDelete), an encrypted volume (VeraCrypt FORMAT confirmed), a typosquatted RAT, and identified the subject as anthony.vanko@gmail.com.
Related MCP server: Sift MCP (Docker edition)
Architecture
┌──────────────────────────────────────────────────────────┐
│ Windows Host (analyst workstation) │
│ │
│ orchestrator.py ←→ gpt-5.4-mini (OpenAI-compat API) │
│ │ │
│ sift-forensic-mcp (18 MCP tools, stdio transport) │
│ │ asyncssh (TCP 22) │
└────────┼─────────────────────────────────────────────────┘
│
┌────────▼─────────────────────────────────────────────────┐
│ SIFT Workstation 2026 VM (Ubuntu 22.04, VMware NAT) │
│ │
│ /cases/VANKO/surface_physical.E01 │
│ ewfmount → /mnt/ewf/ewf1 │
│ kpartx → /dev/mapper/loop0p3 │
│ ntfs-3g → /mnt/windows/ (READ-ONLY) │
│ │
│ SIFT tools: ewfmount, log2timeline, yara, │
│ regripper, python-evtx, strings, file │
└──────────────────────────────────────────────────────────┘See docs/architecture.md for the full tool inventory and security boundary breakdown.
Prerequisites
Windows 10/11 host with VMware Workstation Pro 17+
Python 3.10+
OpenAI-compatible API key (or set
OPENAI_BASE_URLto a local endpoint)~150 GB free disk space (119 GB evidence + SIFT VM)
8 GB+ RAM (16 GB recommended)
Quick start
1. Clone and install
git clone https://github.com/OLGTX303/find-evil-sift-agent
cd find-evil-sift-agent
pip install -e .2. Import the SIFT Workstation VM
$ovftool = "C:\Program Files (x86)\VMware\VMware Workstation\OVFTool\ovftool.exe"
& $ovftool --acceptAllEulas --name="SIFT-2026" sift-2026-04-22.ova F:\SIFT-VM\3. Place evidence files
find\VANKO\surface_physical.E01 (through .E21)
find\VANKO\vanko-c-drive.CYLR.7z4. Start and configure the SIFT VM
python setup_sift_vm.py
# Starts the VM, enables SSH, copies evidence — prints the VM IP at the end5. Set environment variables
$env:OPENAI_API_KEY = "sk-..."
$env:OPENAI_BASE_URL = "https://api.openai.com/v1" # or your endpoint
$env:SIFT_HOST = "192.168.x.x" # from setup_sift_vm.py
$env:SIFT_PORT = "22"
$env:SIFT_USER = "sansforensics"
$env:SIFT_PASS = "forensics"
$env:EVIDENCE_DIR = "/cases/VANKO"6. Run the investigation
python orchestrator.py --output-dir ./findingsThe agent prints reasoning and tool calls to stderr in real time.
Investigation takes 15–30 minutes (log2timeline on 119 GB runs in background).
7. Review results
# Structured findings report
cat findings/findings_report.json
# Full timestamped audit trail
cat findings/agent_execution_log.jsonlMCP server (standalone — use with Claude Code)
# Register the MCP server in Claude Code
claude mcp add sift-forensic \
-e SIFT_HOST=192.168.x.x \
-e SIFT_PORT=22 \
-e SIFT_USER=sansforensics \
-e SIFT_PASS=forensics \
-- sift-mcp
# Then in Claude Code:
# "Mount the VANKO image and find evil"Repository layout
sift-agent/
├── orchestrator.py ← Autonomous IR agent (gpt-5.4-mini)
├── setup_sift_vm.py ← One-time VM setup
├── pyproject.toml
├── LICENSE ← MIT
├── src/sift_mcp/
│ ├── server.py ← MCP server (stdio transport)
│ ├── tools.py ← 18 forensic tool implementations
│ └── ssh_client.py ← asyncssh helper with sudo support
├── findings/
│ ├── findings_report.json ← Structured IOC report
│ └── agent_execution_log.jsonl ← Full timestamped audit trail
├── demo/
│ ├── demo_find_evil.mp4 ← Narrated demo video (local copy)
│ ├── mcp_session.json ← Real captured tool output
│ └── cover_3x2.png ← Devpost thumbnail (1200×800)
└── docs/
├── architecture.md ← Component diagram + security boundaries
├── accuracy_report.md ← Finding accuracy + false positive analysis
├── dataset.md ← Evidence dataset documentation
└── try-it-out.md ← Judges guideDocs
Document | Contents |
Component diagram, tool inventory, security boundaries, guardrails | |
8 findings vs ground truth, false positives, evidence integrity | |
VANKO case dataset, provenance, integrity hashes | |
Step-by-step judges guide with troubleshooting |
License
MIT — see LICENSE.
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/OLGTX303/find-evil-sift-agent'
If you have feedback or need assistance with the MCP directory API, please join our Discord server