Forensic Artifact Investigator MCP Server
Enables checking file hash reputation against VirusTotal's threat intelligence database to identify known malicious files.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Forensic Artifact Investigator MCP Serverrun strings on the memory.dmp file"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Forensic Artifact Investigator MCP Server
A production-quality Model Context Protocol (MCP) server built with the NitroStack framework. It performs real, local forensic analysis of file bytes by orchestrating system forensic binaries (file, exiftool, GNU strings, and Volatility) via safe, shell-free subprocess execution.
Table of Contents
Related MCP server: Sysinternals MCP Server
How It Works
This server exposes local forensic tools as MCP primitives to LLM clients. The execution flow is strictly live:
Client Handshake: The MCP client establishes a JSON-RPC session over STDIO.
Tool Selection: When asked to inspect a file, the LLM calls
extract-metadataorextract-strings.Execution Safety: The server validates the path to ensure it remains inside the configured
EVIDENCE_ROOTand blocks symlink/path traversal attacks.Command Execution: The server spawns command-line forensic utilities directly (using
execFile/spawnwithshell: false). It enforces CPU timeouts and memory boundaries.Chain-of-Custody Logging: Every command execution, success or failure, is appended to an audit log (
data/analysis-log.jsonl).Result Formatting: Results are returned to the client in structured JSON. The LLM can render the
analysis-reportwidget to show a premium UI panel.
Supported Platforms & Installation
The server requires Node.js v18+ (v22 LTS recommended) and system forensic binaries.
Linux (Debian/Ubuntu/CentOS)
1. System Dependencies
On Debian/Ubuntu:
sudo apt-get update
sudo apt-get install -y file libimage-exiftool-perl binutils python3 python3-pip python3-venvOn CentOS/RHEL (EPEL required):
sudo dnf install epel-release
sudo dnf install -y file perl-Image-ExifTool binutils python3 python3-pip2. Volatility 3 Installation
It is highly recommended to install Volatility 3 in a dedicated virtual environment inside or adjacent to the project directory:
python3 -m venv .venv-volatility
source .venv-volatility/bin/activate
pip install --upgrade pip
pip install volatility3Determine the absolute path of the vol binary (usually .venv-volatility/bin/vol).
Windows (Native & WSL)
Option A: WSL2 (Recommended)
Follow the standard Linux installation instructions inside your WSL terminal (e.g. Ubuntu). Access Windows files via /mnt/c/.
Option B: Native Windows (PowerShell)
Node.js: Install Node.js LTS via the official installer.
File Utility: Install git-bash or downoad the native Win32
filecommand via Git for Windows, then add it to your System PATH.ExifTool: Download the stand-alone Windows executable from exiftool.org, rename it to
exiftool.exe, and place it in a folder in your System PATH.GNU strings: Download
strings.exefrom Sysinternals Suite and add it to your PATH.Volatility 3:
Install Python 3 via the Microsoft Store or Python website.
Install Volatility 3 using PowerShell:
python -m venv .venv-volatility .venv-volatility\Scripts\activate python -m pip install --upgrade pip python -m pip install volatility3The path to your binary will be
.venv-volatility\Scripts\vol.exe.
Configuration (.env)
Configure your local environment by creating a .env file in the root of forensic-artifact-investigator:
# Absolute path to the folder containing your evidence files
EVIDENCE_ROOT=/Users/nambi/Documents/Forensic Open Source/evidence
# Volatility configuration
VOLATILITY_MAJOR_VERSION=3
VOLATILITY_BINARY=/Users/nambi/Documents/Forensic Open Source/.venv-volatility/bin/vol
# Optional: VirusTotal Reputation API Key (Leave empty to skip online reputation checks)
VIRUSTOTAL_API_KEY=
# Execution Limits
FILE_COMMAND_TIMEOUT_MS=60000
VOLATILITY_TIMEOUT_MS=300000
MAX_RETURNED_STRINGS=5000
MAX_STRING_OUTPUT_BYTES=2000000
VOLATILITY_MAX_OUTPUT_BYTES=5000000MCP Protocol Surface Reference
Tools (Input & Output Examples)
1. extract-metadata
Extracts filesystem size, runs file --mime-type to detect the actual type, checks for MIME discrepancies using the signatures database, computes the SHA-256, and extracts camera, GPS, and timestamp metadata via ExifTool.
Parameters:
{ "filePath": "/evidence/suspect_photo.jpg" }Response Example:
{ "tool": "extract-metadata", "targetFile": "/evidence/suspect_photo.jpg", "fileSizeBytes": 1717, "extension": ".jpg", "detectedMimeType": "image/jpeg", "expectedMimeTypes": ["image/jpeg"], "extensionKnown": true, "extensionMismatch": false, "sha256": "37751c11e6cc72ef0d39e31dcd4dfdf2252c8adab256be47e24b745499cf29fa", "metadata": { "camera": { "make": "TestCamera", "model": "Forensic-1000", "lens": "TestLens 35mm" }, "gps": { "latitude": "37 deg 48' 0.00\" N", "longitude": "122 deg 25' 0.00\" W", "altitude": "10 m" }, "software": "EvidenceGen v1.0", "timestamps": { "dateTimeOriginal": "2026:07:12 12:00:00" } } }
2. extract-strings
Extracts ASCII/Unicode characters with a minimum length of 6, and scans them for IP addresses, URLs, domains, and suspicious command-line keywords.
Parameters:
{ "filePath": "/evidence/suspect_photo.jpg" }Response Example:
{ "tool": "extract-strings", "totalStringsCaptured": 23, "returnedCount": 23, "patternMatches": { "ipAddresses": [], "urlsAndDomains": [ { "matchedValue": "http://malicious-site.com/payload.exe", "sourceString": "Download link http://malicious-site.com/payload.exe here.", "type": "url" } ], "suspiciousKeywords": [ { "keyword": "powershell", "sourceString": "powershell -EncodedCommand AAAA" } ] } }
3. analyze-memory-dump
Invokes the configured Volatility binary to run sequentially: windows.info, windows.pslist, windows.netscan, and windows.malfind.
Parameters:
{ "filePath": "/evidence/winmem.raw" }Response Example (Truncated):
{ "tool": "analyze-memory-dump", "volatilityVersion": 3, "volatilityBinary": "/path/to/vol", "osProfile": { "NTBuildLab": "14393.pc.release...", "SystemTime": "2026-07-12 12:00:00" }, "processList": [ { "PID": 4, "PPID": 0, "ImageFileName": "System" } ], "pluginResults": { "info": { "status": "success", "rowCount": 1 }, "pslist": { "status": "success", "rowCount": 120 }, "netscan": { "status": "success", "rowCount": 15 }, "malfind": { "status": "success", "rowCount": 3 } } }
Resources (Schema & Output Examples)
1. signatures://magic-bytes
Returns the JSON sign-off references containing mapping tables.
MIME:
application/json
2. case://analysis-log
Returns the append-only logs compiled from data/analysis-log.jsonl.
MIME:
application/json
3. signatures://threat-intel/{hash}
Returns VirusTotal file hash summary statistics.
Special offline path: Querying MD5
44d88612fea8a8f36de82e1278abb02f(EICAR) returns a local response without internet connection:{ "status": "found", "source": "deterministic-eicar-fixture", "hash": "44d88612fea8a8f36de82e1278abb02f", "hashAlgorithm": "md5", "malicious": 1, "summary": "Known EICAR antivirus test-file hash; deterministic test response." }
Prompts
full-file-analysis: An interactive prompt guiding LLMs to parse, check reputation, and organize findings under exact headers:Confirmed Anomalies,Possible Anomalies, andClean.
Widgets
analysis-report: Headless React interface. Renders structured results on a dark-mode optimized layout with interactive copy-pastes for analysts.
Setting Up in Client Harnesses
Claude Code
To add this server to Claude Code, run:
claude mcp add forensic-server node /path/to/forensic-artifact-investigator/dist/index.js(Make sure to compile the project first using npm run build and populate the .env file.)
Cursor
To configure inside Cursor IDE:
Open Cursor Settings.
Go to Features -> MCP.
Click + Add New MCP Server.
Configure as follows:
Name:
Forensic InvestigatorType:
commandCommand:
node "/path/to/forensic-artifact-investigator/dist/index.js"
Save and check that the indicator turns green.
Claude Desktop
Add this configuration to your local config at ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows):
{
"mcpServers": {
"forensic-artifact-investigator": {
"command": "node",
"args": [
"/path/to/forensic-artifact-investigator/dist/index.js"
],
"env": {
"EVIDENCE_ROOT": "/path/to/evidence",
"VOLATILITY_BINARY": "/path/to/vol",
"VOLATILITY_MAJOR_VERSION": "3"
}
}
}
}Development, Build, and Testing
Install Dependencies:
npm installRun Typechecking:
npm run typecheckRun Tests (Vitest):
npm testBuild Server and Widgets:
npm run buildRun Server Locally:
npm start
Security and Forensic Guidelines
No Shell Interpolation: Evaluates arguments array in a shell-free execution context to prevent subprocess vulnerability exploits.
Log Sanitation: The application guarantees that
VIRUSTOTAL_API_KEYis not logged in files or included in errors.Path Restrictions: Every file validation requires canonical comparison against
EVIDENCE_ROOTto prevent symlink traversal breakouts.Findings are Indicators: Discrepancies and strings are only indicators. They are designed to assist human validation and must not be used as final legal proof of malware.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/guyoverclocked/forensic-artifact-investigator'
If you have feedback or need assistance with the MCP directory API, please join our Discord server