NTP Enrichment

• 

  NTP Enrichment SKILL flow

• 

  log sample 1

• 

  log sample 2

• 

  Security Boundaries

• 

  Demo thumbnamil

• 

  ADR index

• 

  Component Diagram

• 

  SIFT & Agent Logging

Inspiration

While studying for the ISC2 CISSP exam, a question about NTP log source differences sparked a realization: forensic analysts spend enormous amounts of time manually correlating timestamps across disparate log sources. We were inspired to use AI to automate tasks that are repetitive and long-running.

What it does

Protocol-Sift automates NTP forensic analysis by ingesting raw log sources and building an enriched, correlated timeline. It identifies time skew between log sources, flags suspicious NTP synchronization events, and surfaces anomalies that indicate timestamp manipulation or clock drift. The tool generates a structured forensic audit report, giving analysts an anchored, NIST-referenced timeline suitable for legal proceedings and evidentiary submission.

How we built it

We built Protocol-Sift using a two-repository architecture: hackasans-correlator provides the infrastructure and orchestration layer, while protocol-sift contains the AI agent skills and analysis code. The agent uses a manifest-driven tool interface with a self-correction loop and a hard iteration cap to prevent runaway execution. We integrated Claude Code as an autonomous agent with SKILL.md decision files to guide tool selection. NTP enrichment pulls authoritative time from NIST, cross-references Windows Time Service Event IDs, and outputs enriched Plaso l2tcsv fields for super-timeline analysis. While the artifacts in this engagement came from a Windows system, the tool is designed to support Linux and other operating system log sources as well. Our designs and architectural decisions are documented with ADRs in the authoring repo. See docs/ARCHITECTURE.md for more details.

Challenges we ran into

Working with AI in a production-style workflow introduced unexpected behaviors, particularly when using it to generate and execute code autonomously. This was our first experience applying AI in two distinct capacities simultaneously: as a coding assistant and as an orchestration / algorithmic analysis engine. Learning to refine specs, prompt effectively, handle edge cases, and maintain control of the agent loop were our biggest technical hurdles. From a developer standpoint, using prompt-driven development presented challenges with drift between the prompts and the generated code. We developed a set of Claude skills that developers can use to reconcile divergences between prompts and code in the two repos.

Accomplishments that we're proud of

Building a working autonomous forensic agent as a two-person team within hackathon time constraints. Deploying AWS infrastructure using AI-assisted infrastructure as code. Adopting spec-driven development for the first time, a new approach for both of us, which kept the project focused and gave the AI agent a reliable decision framework.

What we learned

Agentic AI workflows require hard guardrails, iteration caps, self-correction loops, and clear failure modes to be reliable in a security context. In forensic work especially, false confidence in a result is worse than no answer at all. We also learned that spec-driven development is difficult and powerful.

What's next for Protocol-Sift

We plan to expand Protocol-Sift beyond NTP to additional protocol forensics: DNS query timeline analysis, Kerberos ticket timestamp correlation, and HTTP access log time skew detection. We also want to integrate directly with Velociraptor and KAPE artifact outputs so the tool fits natively into existing DFIR collection workflows. Mapping findings to the MITRE ATT&CK framework is a high-priority next step, enabling analysts to connect timestamp anomalies directly to known adversary techniques.

Built With

• ai
• amazon-web-services
• bash
• python
• terraform