sift-forensic-mcp
Server Configuration
Describes the environment variables required to run the server.
| Name | Required | Description | Default |
|---|---|---|---|
| SIFT_HOST | Yes | IP address of the SIFT Workstation VM | |
| SIFT_PASS | Yes | SSH password for the SIFT VM (default forensics) | |
| SIFT_PORT | No | SSH port for the SIFT VM (default 22) | 22 |
| SIFT_USER | Yes | SSH username for the SIFT VM (default sansforensics) |
Capabilities
Features and capabilities supported by this server
| Capability | Details |
|---|---|
| tools | {
"listChanged": false
} |
| experimental | {} |
Tools
Functions exposed to the LLM to take actions
| Name | Description |
|---|---|
| setup_evidenceA | Copy evidence to SIFT VM and verify. Call this first. |
| mount_imageA | Mount the E01 forensic image using ewfmount + kpartx. Required before any file-system analysis. |
| unmount_imageA | Unmount the forensic image cleanly after analysis. |
| get_system_infoB | Extract OS version, hostname, timezone from the mounted image. |
| list_usersB | List Windows user accounts discovered in the image. |
| list_recent_filesB | List recently accessed files (LNK files) for a user. |
| find_suspicious_executablesB | Find executables in anomalous locations: Temp dirs, user AppData, ProgramData. |
| extract_fileA | Read strings from a file on the mounted image (first 4KB). |
| run_log2timelineA | Start log2timeline timeline creation (long-running). Poll with get_timeline_status. |
| get_timeline_statusA | Check if log2timeline is running; return last log lines. |
| run_psortC | Query the plaso timeline. Returns events sorted by time. |
| parse_registryB | Parse a Windows registry hive. Optionally navigate to a specific key. |
| get_run_keysA | Extract Run/RunOnce autostart registry keys from all user hives. |
| yara_scanB | Run YARA malware detection rules against a path in the mounted image. |
| parse_evtxB | Parse a Windows EVTX event log file. |
| get_logon_eventsB | Extract logon/logoff events (4624, 4625, 4634) from Security.evtx. |
| extract_network_artifactsB | Extract prefetch files, hosts file, browser history paths. |
| hash_fileA | Compute MD5 and SHA256 hash of a file on the mounted image. |
| check_known_malware_hashesB | Check hashes against local NSRL/malware hash database. |
Prompts
Interactive templates invoked by user choice
| Name | Description |
|---|---|
No prompts | |
Resources
Contextual data attached and managed by the client
| Name | Description |
|---|---|
No resources | |
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/OLGTX303/find-evil-sift-agent'
If you have feedback or need assistance with the MCP directory API, please join our Discord server