SIFTGuard
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@SIFTGuardAnalyze memory dump for suspicious processes"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
SIFTGuard — Autonomous Forensic Investigation Agent
SIFTGuard is a multi-agent AI system for autonomous digital forensics and incident response. It wraps SIFT Workstation forensic tools (volatility3, python-evtx, sleuthkit) as a purpose-built MCP (Model Context Protocol) server, orchestrates a 5-agent AI pipeline, and produces structured findings with a complete audit trail.
FIND EVIL! Hackathon 2026 — Track: Custom MCP Server + Multi-Agent Pipeline on SIFT Workstation
Architecture

Evidence Artifacts (memory, EVTX, disk images)
│
▼
┌─────────────────────────────────────────────────────────┐
│ SIFTGuard MCP Server │
│ ┌──────────────┐ ┌──────────────┐ ┌────────────────┐ │
│ │ run_volatility│ │ parse_evtx │ │ run_sleuthkit │ │
│ └──────────────┘ └──────────────┘ └────────────────┘ │
│ ┌──────────────┐ ┌──────────────┐ ┌────────────────┐ │
│ │ extract_iocs │ │ check_mitre │ │ search_playbook│ │
│ └──────────────┘ └──────────────┘ └────────────────┘ │
│ ┌──────────────┐ ┌──────────────┐ ┌────────────────┐ │
│ │record_finding │ │ list_evidence│ │ get_audit_trail│ │
│ └──────────────┘ └──────────────┘ └────────────────┘ │
└─────────────────────┬───────────────────────────────────┘
│ tool calls
▼
┌─────────────────────────────────────────────────────────┐
│ 5-Agent Orchestration Pipeline │
│ │
│ [1] TriageAgent → Groq llama-3.3-70b │
│ ↓ threat classification, playbook selection │
│ [2] AnalyzerAgent → MCP tools (volatility+evtx+tsk) │
│ ↓ deep forensic analysis, finding extraction │
│ [3] SelfCorrectionAgent → wraps all tool calls │
│ ↓ autonomous retry with alternative strategies │
│ [4] PlannerAgent → Groq + RAG over DFIR playbooks │
│ ↓ prioritized containment/eradication plan │
│ [5] ExecutorAgent → Human-in-the-Loop gate │
│ ↓ approval + safe execution │
└─────────────────────────────────────────────────────────┘
│
▼
Findings + Audit Trail + ReportRelated MCP server: findevil-agent
8 MCP Tools
Tool | SIFT Binary | Purpose |
| volatility3 | Memory forensics (pslist, netscan, malfind, cmdline) |
| python-evtx | Windows Event Log parsing + filter |
| log2timeline / reconstructed | Supertimeline from all artifacts |
| fls, mmls, istat | Disk image analysis |
| regex engine | IOC extraction (IPs, hashes, paths) |
| knowledge base | MITRE ATT&CK technique mapping |
| playbook DB | DFIR investigation playbook retrieval |
| case file | Validated finding persistence |
Quickstart
1. Clone and Setup
git clone https://github.com/sodiq-code/siftguard
cd siftguard
bash scripts/setup.sh2. Configure
cp .env.example .env
# Edit .env — add your GROQ_API_KEY3. Add Evidence
# Place your forensic artifacts:
data/evidence/memory/ ← memory dumps (.mem, .raw, .dmp)
data/evidence/logs/ ← EVTX logs (.evtx)
data/evidence/disk/ ← disk images (.E01, .dd)4. Run Full Pipeline
source .venv/bin/activate
python main.py5. Run with Custom Indicators
python main.py --indicators "Suspicious process on port 4444, possible reverse shell"6. Interactive Mode (real human approval)
python main.py --interactivePipeline Stages
Stage | Agent | Description |
1 | MCP Server | Evidence inventory — list all artifacts |
2 | TriageAgent | AI classification of threat type and severity |
3 | MCP Server | DFIR playbook loading |
4 | AnalyzerAgent | Deep analysis — memory + logs + disk |
5 | SelfCorrectionAgent | Autonomous retry on tool failures |
6 | MCP Server | Record validated findings to case file |
7 | PlannerAgent | Generate remediation plan with Groq + RAG |
8 | ExecutorAgent | Human-in-the-loop approval + execution |
Forensic Integrity Note: The ExecutorAgent generates remediation commands targeting the compromised host — the SIFT Workstation environment remains strictly read-only throughout the entire investigation. No evidence is modified.
Self-Correction System
SIFTGuard's SelfCorrectionAgent wraps every tool call with a 3-attempt correction loop:
Tool Call Attempt 1
│ FAILS (timeout / empty result / wrong format)
▼
Diagnose failure → select correction strategy
│
▼
Tool Call Attempt 2 (modified args)
│ FAILS again
▼
Fallback strategy (simulation / alternative tool)
│
▼
Tool Call Attempt 3 → SUCCESSAll correction events are logged to the audit trail. Demonstrated live in the demo video.
Output Files
After running, SIFTGuard produces:
data/cases/
├── report_YYYYMMDD_HHMMSS.json # Full investigation report
├── audit_YYYYMMDD_HHMMSS.json # Tool call audit trail
└── findings.jsonl # All recorded findings (one per line)Accuracy Metrics
Generate accuracy report vs. ground truth:
python -c "
from tools.accuracy_report import generate_accuracy_report, print_accuracy_summary
import json
report = json.load(open('data/cases/report_LATEST.json'))
acc = generate_accuracy_report(report, 'data/cases/accuracy.json')
print_accuracy_summary(acc)
"Dataset
Evidence analyzed: SANS FIND EVIL! provided forensic image
Memory dump: Windows 10 victim system
Event logs: Security.evtx, System.evtx
Disk image: E01 format
Dataset documentation: docs/DATASET.md
Demo Video
4m 11s elite demo — 9-scene animated production video: intro, problem statement, solution overview, live pipeline execution (terminal), EVTX deep-dive, MITRE ATT&CK mapping, audit trail, architecture, and outro. Narrated with full VO + background music.
What the demo covers:
Stage 1 — Evidence inventory (4 artifacts discovered)
Stage 2 — Groq AI triage in 0.3s, playbook selected
Stage 4 — Deep forensic analysis: volatility3, EVTX parsing, IOC extraction
Self-Correction Engine — 2 autonomous retries, zero human intervention (Evaluation Criterion #1)
Stage 5 — Findings + prioritized remediation plan (3 critical, 2 high severity)
Stage 6 — Human-in-the-Loop approval gate (Evaluation Criterion #4)
Stage 7 — Audit trail + JSON report (Evaluation Criterion #5)
Submission Components
# | Component | Location |
1 | Code Repository | This repo |
2 | Demo Video | |
3 | Architecture Diagram | |
4 | Written Description | |
5 | Dataset Documentation | |
6 | Accuracy Report | |
7 | Try-It-Out Instructions | |
8 | Agent Execution Logs |
Demo Screenshots
Real terminal output from a live pipeline run — no mocks, no edits.
Stage 1/8 — Evidence Inventory
SIFTGuard ASCII banner + MCP server spin-up + evidence inventory across 3 incident cases (4e074085, a1b2c3d4, ff001122). Agent detects 4 evidence files across all cases.
Stages 2–3/8 — AI Triage + Playbook Load
Groq Llama-3.3-70b performs autonomous triage: classifies incident as MALWARE/HIGH severity, generates threat assessment, loads matched IR playbooks for each case. (Output truncated at right edge — full hypothesis text continues beyond screenshot width.)
Stage 4/8 — Self-Correction Event
Agent detects a failed tool call mid-analysis, logs a SELF-CORRECTION event, retries with adjusted parameters. Two-attempt autonomous recovery with full audit logging.
Stage 5/8 — Deep Analysis + Finding Recording
AnalyzerAgent deep forensic pass: volatility3 memory scan, EVTX log parsing, IOC extraction. 3 high-confidence findings recorded to case file (C2 beaconing, credential theft, lateral movement).
Stages 6–7/8 — Remediation Plan + HITL Gate
PlannerAgent generates ranked remediation plan; ExecutorAgent surfaces it through the Human-in-the-Loop approval gate before executing 5 actions: Block C2 IP, Remove Malicious Service, Restore System, Isolate Host, Remove Scheduled Task.
Stage 8/8 — Audit Trail + Investigation Complete
Full pipeline summary: 3 cases processed, 3 findings confirmed, 5 remediation actions executed, structured audit trail written. Total runtime captured.
License
MIT License — Copyright 2026 Sodiq Jimoh
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/sodiq-code/siftguard'
If you have feedback or need assistance with the MCP directory API, please join our Discord server