SIFTGuard
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@SIFTGuardAnalyze memory dump for suspicious processes"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
SIFTGuard — Autonomous Forensic Investigation Agent
SIFTGuard is a multi-agent AI system for autonomous digital forensics and incident response. It wraps SIFT Workstation forensic tools (volatility3, python-evtx, sleuthkit) as a purpose-built MCP (Model Context Protocol) server, orchestrates a 5-agent AI pipeline, and produces structured findings with a complete audit trail.
FIND EVIL! Hackathon 2025 — Track: Custom MCP Server + Multi-Agent Pipeline on SIFT Workstation
Architecture
Evidence Artifacts (memory, EVTX, disk images)
│
▼
┌─────────────────────────────────────────────────────────┐
│ SIFTGuard MCP Server │
│ ┌──────────────┐ ┌──────────────┐ ┌────────────────┐ │
│ │ run_volatility│ │ parse_evtx │ │ run_sleuthkit │ │
│ └──────────────┘ └──────────────┘ └────────────────┘ │
│ ┌──────────────┐ ┌──────────────┐ ┌────────────────┐ │
│ │ extract_iocs │ │ check_mitre │ │ search_playbook│ │
│ └──────────────┘ └──────────────┘ └────────────────┘ │
│ ┌──────────────┐ ┌──────────────┐ ┌────────────────┐ │
│ │record_finding │ │ list_evidence│ │ get_audit_trail│ │
│ └──────────────┘ └──────────────┘ └────────────────┘ │
└─────────────────────┬───────────────────────────────────┘
│ tool calls
▼
┌─────────────────────────────────────────────────────────┐
│ 5-Agent Orchestration Pipeline │
│ │
│ [1] TriageAgent → Groq llama-3.3-70b │
│ ↓ threat classification, playbook selection │
│ [2] AnalyzerAgent → MCP tools (volatility+evtx+tsk) │
│ ↓ deep forensic analysis, finding extraction │
│ [3] SelfCorrectionAgent → wraps all tool calls │
│ ↓ autonomous retry with alternative strategies │
│ [4] PlannerAgent → Groq + RAG over DFIR playbooks │
│ ↓ prioritized containment/eradication plan │
│ [5] ExecutorAgent → Human-in-the-Loop gate │
│ ↓ approval + safe execution │
└─────────────────────────────────────────────────────────┘
│
▼
Findings + Audit Trail + Report8 MCP Tools
Tool | SIFT Binary | Purpose |
| volatility3 | Memory forensics (pslist, netscan, malfind, cmdline) |
| python-evtx | Windows Event Log parsing + filter |
| log2timeline / reconstructed | Supertimeline from all artifacts |
| fls, mmls, istat | Disk image analysis |
| regex engine | IOC extraction (IPs, hashes, paths) |
| knowledge base | MITRE ATT&CK technique mapping |
| playbook DB | DFIR investigation playbook retrieval |
| case file | Validated finding persistence |
Quickstart
1. Clone and Setup
git clone https://github.com/sodiq-code/siftguard
cd siftguard
bash scripts/setup.sh2. Configure
cp .env.example .env
# Edit .env — add your GROQ_API_KEY3. Add Evidence
# Place your forensic artifacts:
data/evidence/memory/ ← memory dumps (.mem, .raw, .dmp)
data/evidence/logs/ ← EVTX logs (.evtx)
data/evidence/disk/ ← disk images (.E01, .dd)4. Run Full Pipeline
source .venv/bin/activate
python main.py5. Run with Custom Indicators
python main.py --indicators "Suspicious process on port 4444, possible reverse shell"6. Interactive Mode (real human approval)
python main.py --interactivePipeline Stages
Stage | Agent | Description |
1 | MCP Server | Evidence inventory — list all artifacts |
2 | TriageAgent | AI classification of threat type and severity |
3 | MCP Server | DFIR playbook loading |
4 | AnalyzerAgent | Deep analysis — memory + logs + disk |
5 | SelfCorrectionAgent | Autonomous retry on tool failures |
6 | MCP Server | Record validated findings to case file |
7 | PlannerAgent | Generate remediation plan with Groq + RAG |
8 | ExecutorAgent | Human-in-the-loop approval + execution |
Self-Correction System
SIFTGuard's SelfCorrectionAgent wraps every tool call with a 3-attempt correction loop:
Tool Call Attempt 1
│ FAILS (timeout / empty result / wrong format)
▼
Diagnose failure → select correction strategy
│
▼
Tool Call Attempt 2 (modified args)
│ FAILS again
▼
Fallback strategy (simulation / alternative tool)
│
▼
Tool Call Attempt 3 → SUCCESSAll correction events are logged to the audit trail. Demonstrated live in the demo video.
Output Files
After running, SIFTGuard produces:
data/cases/
├── report_YYYYMMDD_HHMMSS.json # Full investigation report
├── audit_YYYYMMDD_HHMMSS.json # Tool call audit trail
└── findings.jsonl # All recorded findings (one per line)Accuracy Metrics
Generate accuracy report vs. ground truth:
python -c "
from tools.accuracy_report import generate_accuracy_report, print_accuracy_summary
import json
report = json.load(open('data/cases/report_LATEST.json'))
acc = generate_accuracy_report(report, 'data/cases/accuracy.json')
print_accuracy_summary(acc)
"Dataset
Evidence analyzed: SANS FIND EVIL! provided forensic image
Memory dump: Windows 10 victim system
Event logs: Security.evtx, System.evtx
Disk image: E01 format
Dataset documentation: docs/DATASET.md
Submission Components
# | Component | Location |
1 | Code Repository | This repo |
2 | Demo Video | [YouTube link] |
3 | Architecture Diagram | |
4 | Written Description | |
5 | Dataset Documentation | |
6 | Accuracy Report | |
7 | Try-It-Out Instructions | |
8 | Agent Execution Logs |
License
MIT License — Copyright 2025 Sodiq Jimoh
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/sodiq-code/siftguard'
If you have feedback or need assistance with the MCP directory API, please join our Discord server