DeepSIFT
Allows lookup of IP reputation via VirusTotal API to enrich forensic evidence with external threat intelligence.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@DeepSIFTInvestigate /cases/memory.raw for malicious activity."
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
DeepSIFT
AI-Driven Forensic Analysis with Zero Hallucinations
DeepSIFT is a Python MCP (Model Context Protocol) middleware server that wraps SANS SIFT Workstation forensic tools, dramatically reducing LLM hallucinations in autonomous AI-driven incident response.
Built for the Find Evil! Hackathon hosted by SANS DFIR.
The Problem
Protocol SIFT connects Claude Code to SIFT Workstation but hallucinates more than acceptable:
Protocol SIFT Problem | DeepSIFT Solution |
Raw Volatility output (10k+ lines) dumped into context | Python parsers convert output to structured JSON first |
Generic | Typed MCP functions — one function per tool action |
Prompt-only safety ("never modify evidence") | Architectural enforcement — zero write ops on evidence paths |
No threat intelligence context | RAG pipeline injects MITRE ATT&CK + IOCs into every finding |
Related MCP server: AIOps MCP
Architecture
Claude Code (autonomous execution engine)
↓ calls typed MCP functions
DeepSIFT MCP Server ←── RAG Pipeline (ChromaDB + MITRE ATT&CK)
↓ executes and parses raw output
SIFT Tools (volatility, log2timeline, sleuthkit, yara, ez tools)
↑ structured JSON returned — raw text never reaches LLMAvailable MCP Tools
Memory Forensics (Volatility 3)
Tool | Description |
| Process list with Hunt Evil baseline comparison |
| Malfind with injection type classification |
| Netscan with external IP flagging |
| Cmdline with suspicious pattern detection |
| DLL list with path-based suspicion scoring |
| Registry hive list from memory |
| Read specific registry key values |
| Open handles (files, mutexes, pipes) |
| Save final structured findings |
Timeline (log2timeline / Plaso)
Tool | Description |
| Create Plaso storage from disk image |
| Extract events for a time window |
| WEBHIST events only |
Disk Forensics (Sleuth Kit)
Tool | Description |
| Partition layout via mmls |
| File system tree via fls |
| Extract file by inode via icat |
| Deleted/unallocated files |
YARA Hunting
Tool | Description |
| Scan file with rule set |
| Scan memory image via yarascan |
| Show available rules |
Windows Artifacts (EZ Tools)
Tool | Description |
| Program execution history |
| Recent file access |
| Application recent items |
| Offline hive parsing |
| AbuseIPDB + VirusTotal |
Prerequisites
SANS SIFT Workstation (Ubuntu x86-64)
Python 3.10+
Volatility 3 (
python3 -m volatility3)log2timeline / Plaso (
log2timeline.py,psort.py)The Sleuth Kit (
fls,mmls,icat)YARA
EZ Tools at
/opt/zimmermantools/(optional — Windows artifact tools)
Installation
# Clone the repo
git clone https://github.com/ahammadshawki8/DeepSIFT.git
cd DeepSIFT
# Install Python dependencies
pip3 install -r requirements.txt
# Configure environment
cp .env.example .env
nano .env # Add your API keys and verify tool paths
# Initialize RAG knowledge base (downloads ~100MB MITRE ATT&CK JSON)
python3 rag/ingest/mitre_attack.py
# Run tests to verify parsers work
pytest tests/ -vQuick Start — Investigate a Memory Image
Option A: Use with Claude Code (Recommended)
Add to your Claude Code MCP configuration:
{
"mcpServers": {
"deepsift": {
"command": "python3",
"args": ["/path/to/DeepSIFT/mcp_server/server.py"]
}
}
}Start an investigation:
Investigate /cases/ROCBA/Rocba-Memory.raw for signs of unauthorized access
on or after November 13, 2020.Claude will automatically call get_process_list → find_injected_code →
get_network_connections → finish_analysis and produce a structured report.
Option B: Multi-Agent Orchestrator (LangGraph)
python3 agents/orchestrator.py --image /cases/ROCBA/Rocba-Memory.raw --case-dir /cases/ROCBARun Benchmark
Compare DeepSIFT against Protocol SIFT baseline:
python3 benchmark/runner.py \
--baseline /cases/ROCBA-BASELINE \
--ours /cases/ROCBA-DEEPSIFT \
--ground-truth benchmark/ground_truth/rocba_ground_truth.json \
--output docs/accuracy_report.mdConfiguration
Copy .env.example to .env:
ANTHROPIC_API_KEY=your_key_here
VIRUSTOTAL_API_KEY=your_key_here # optional — enables IP reputation
ABUSEIPDB_API_KEY=your_key_here # optional — enables IP reputation
# Override tool paths if different from SIFT defaults
VOLATILITY_CMD=python3 -m volatility3
LOG2TIMELINE_CMD=log2timeline.py
EZ_TOOLS_DIR=/opt/zimmermantools
# Case directories
CASE_DIR=/cases
EXPORTS_DIR=./exports
ANALYSIS_DIR=./analysisChain of Custody
Every tool execution is logged to analysis/forensic_audit.log:
{
"timestamp": "2026-06-10T12:34:56.789Z",
"tool": "get_process_list",
"command": "python3 -m volatility3 -f /cases/ROCBA/Rocba-Memory.raw windows.pslist",
"raw_output_sha256": "abc123...",
"raw_output_file": "./exports/get_process_list_2026-06-10T12-34-56.txt"
}Raw outputs are preserved in exports/ for audit trail purposes.
License
MIT License — see LICENSE
Acknowledgments
SANS DFIR — SIFT Workstation and FOR508 Hunt Evil poster
MITRE ATT&CK — threat intelligence framework
Protocol SIFT — baseline this project improves upon
Volatility Foundation — Volatility 3
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/ahammadshawki8/DeepSIFT'
If you have feedback or need assistance with the MCP directory API, please join our Discord server