VeriSIFT
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@VeriSIFTtriage the disk image at /cases/case01.E01"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
π‘οΈ VeriSIFT
Read-only by architecture. Self-correcting by design.
A typed-MCP incident-response agent that makes evidence spoliation impossible instead of merely forbidden β and catches its own hallucinations before a human ever sees them.
Python Β· Model Context Protocol Β· SANS SIFT Workstation Β· DFIR
Architectural pattern: Custom MCP Server (#2) β Persistent Learning Loop (#7) β fused, not stacked.
β‘ The 30-second pitch
Protocol SIFT proves an AI agent can triage a disk image at machine speed. But its evidence guardrail is a prompt β the model is told not to modify evidence. "The model was instructed not to" is not a chain-of-custody guarantee you can defend in court.
VeriSIFT moves the guarantee from instruction to construction:
Prompt-based agent | VeriSIFT | |
Can it delete evidence? | Told not to | β No write path exists in the code |
Writable image? | Trusts the prompt | π Refuses to start (fail-closed) |
Does it know when it's wrong? | No | β Drops unsupported claims, labels inferences |
Can a juror trace a finding? | No | π Every tool call β one JSONL audit record |
Related MCP server: CodeSherpa
π¬ What a real run looks like
A genuine, computed (not scripted) correlation across three independent forensic artifacts:
STAGE 5 β final report [honest: only what the artifacts support]
[CONFIRMED] execution notepad.exe conf=1.0 supports=['amcache', 'evtx_4688', 'prefetch']
[INFERRED ] logon Administrator conf=0.5 supports=['evtx_4624']
injected test claim dropped: 1 (EVILCORP.EXE β no corroborating artifact, caught by the verifier)
iteration trace:
iter 1: confirmed=0 inferred=2 dropped=1 (hallucination caught)
iter 2: confirmed=1 inferred=1 dropped=0 (notepad corroborated β confirmed)notepad.exeis marked confirmed only becausecorrelate()mechanically matched its basename across a real Event ID 4688 process-create and a real Amcache entry (plus a third prefetch source). Discount any single source and it is still confirmed on two.Administratorlogon stays honestly inferred β single-source (4624), not inflated.EVILCORP.EXEis an explicitly-labeled synthetic claim with no backing artifact β the verifier drops it automatically. That is the self-correction, on camera.
ποΈ Architecture
Full-resolution:
docs/architecture.svgΒ·docs/architecture.png
Key design principle: the agent cannot reach evidence except through typed tools. No write path exists in code β this is architectural, not a prompt instruction.
ββββββββββββββ typed tool calls ββββββββββββββββββββββ
β Agent β ββββββββββββββββββββΊ β VeriSIFT MCP β
β (Claude β β server.py β
β Code) β ββββββββββββββββββββ β β’ open_evidence β
βββββββ¬βββββββ structured JSON β β’ parse_evtx β
β findings β β’ get_amcache β
βΌ β β’ extract_mft_β¦ β
ββββββββββββββ β β’ analyze_prefetchβ
β verify.py β cross-artifact βββββββββββ¬βββββββββββ
β gate+loop β corroboration β read-only
βββββββ¬βββββββ βββββββββΌβββββββββ
β iteration traces β evidence.py β
βΌ β O_RDONLY + β
ββββββββββββββ β fail-closed β
β audit.py β JSONL execution log βββββββββ¬βββββββββ
ββββββββββββββ βββββββββΌβββββββββ
β parsers.py β β
β TSK / regipy / β
β pyscca / evtx β
βββββββββ¬βββββββββ
read-only image
βββ trust boundary ββββββββββββββββββββββββββββββββββββββββββββββ
The agent cannot reach the image except through typed tools.
No write path exists in code. This is ARCHITECTURAL, not a prompt.π¬ The two layers, locked together
1 Β· Typed MCP server β the architectural guardrail
Instead of a generic execute_shell, the agent gets only five typed, read-only tools.
A destructive command can't be issued because that capability does not exist in the server.
Evidence opened
O_RDONLY; fails closed if any write bit is set (evidence.py).Image SHA-256 hashed at open; re-hashable to prove integrity before/after.
2 Β· Self-correcting verification loop β the learning layer
The agent proposes findings as structured claims. The gate cross-checks each against independent artifacts and assigns a verdict:
Corroborating artifacts | Verdict | Confidence |
0 β nothing backs it |
| 0.0 |
1 β single source |
| 0.5 |
2 |
| 0.75 |
3 |
| 1.0 |
Conflicts trigger a tightened re-run, capped at 4 iterations to prevent runaway execution. Every iteration is logged.
The novel contribution: the typed-tool boundary makes corroboration mechanically checkable, and the loop makes the typed tools self-correcting. Neither half delivers both evidence-integrity and self-correction alone.
π§° The five tools
Tool | Backed by | Returns |
|
| metadata + |
|
| structured event records |
|
|
|
|
|
|
|
|
|
All four parsers are verified against real artifacts with per-record try/except so one
corrupt record never aborts a parse.
π Quick start
# 1. Install dependencies (SANS SIFT Workstation)
pip3 install -r requirements.txt # mcp Β· regipy Β· python-evtx Β· pyscca
# plus MFTECmd (EZ Tools / dotnet) and The Sleuth Kit on PATH
# 2. Make evidence read-only β fail-closed enforcement
chmod 0444 /path/to/evidence.E01
# 3. Run the end-to-end demo (drives the real MCP tools + verify loop)
VERISIFT_LOG=./exports/execution_log.jsonl python3 demo_investigation.pyWatch the audit trail stream live (Terminal 1):
export VERISIFT_LOG=./exports/execution_log.jsonl
rm -f "$VERISIFT_LOG"; touch "$VERISIFT_LOG"
echo "VeriSIFT audit trail β live:"; tail -f "$VERISIFT_LOG"π Repository layout
verisift/
βββ server.py # FastMCP server β 5 typed tools
βββ evidence.py # Read-only guardrail (O_RDONLY, fail-closed, SHA-256)
βββ parsers.py # 4 verified parsers + correlate() corroboration engine
βββ verify.py # Classification + bounded self-correction loop
βββ audit.py # JSONL execution log (run_id, seq, duration)
βββ demo_investigation.py # End-to-end demo driver (real tools, computed correlation)
βββ ACCURACY_REPORT.md # Self-assessed accuracy + integrity proof
βββ PROJECT_DESCRIPTION.md # Inspiration Β· build Β· lessons
βββ analysis/
β βββ make_test_prefetch.py # Builds the synthetic .pf (transparent provenance)
βββ test_data/ # Minimal reproducibility fixtures (see provenance below)
βββ evtx/ Β· amcache/ Β· mft/ Β· prefetch/Test-data provenance (full honesty for judges)
Artifact | Real / Synthetic | Source |
EVTX ( | Real | sbousseaden/EVTX-ATTACK-SAMPLES (med0x2e capture) |
Amcache ( | Real | regipy validated Win10 hive (contains |
MFT ( | Real |
|
Prefetch ( | Synthetic | Byte-accurate v30, built from the libscca spec, parsed by real pyscca |
The
[CONFIRMED]verdict rests on two real, independent artifacts (EVTX 4688 + Amcache). The synthetic prefetch is only a third corroborator β disclosed, never load-bearing.
Full sources, SHA-256 hashes, and reproduction steps: DATASET.md.
π― Why this wins on the rubric
Judging criterion | How VeriSIFT addresses it |
Autonomous Execution (tiebreaker) | Loop re-runs and tightens parameters with no human input. |
IR Accuracy | Multi-artifact corroboration drops hallucinations; single-source labeled inferred. |
Constraint Implementation | No shell tool exists; evidence |
Audit Trail | Every tool call β one JSONL record: |
Breadth & Depth | Deep on disk artifacts with genuine cross-artifact correlation (MFT Γ prefetch Γ amcache Γ EVTX). |
βοΈ Honest limitations
Scope is disk-image artifacts by design β depth over breadth. Corroboration rules are heuristic;
a determined anti-forensic actor could defeat cross-artifact agreement. Accuracy depends on the
underlying court-vetted parsers. See ACCURACY_REPORT.md for measured
counts rather than claims.
π License
MIT.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/Zenidp/verisift'
If you have feedback or need assistance with the MCP directory API, please join our Discord server