Coroner

Inspiration

The idea for this platform was born out of frustration. During my time as a security intern, I got my first real taste of digital forensics, and while the work was fascinating, the process was exhausting. Every investigation meant jumping between a dozen different tools, manually sifting through enormous volumes of data, and trying to piece together a coherent picture from scattered outputs.

When I started talking to friends already working in the industry and fellow students who had gone through similar experiences, I quickly realized this wasn't just my problem. It was everywhere.

What it does

Our platform brings three AI-powered investigative tools under one roof. Coroner automates digital forensics, analysts upload their files, and it runs a full suite of forensic tools automatically, delivering an interactive report they can query in plain English and export as a PDF. Wallet Trace maps Solana wallet transaction history and key connections, turning hours of manual crypto tracing into seconds. And Digital Sketching takes a ransomware note and instantly identifies the likely threat actor, analyzes the language patterns, and generates a risk assessment using custom ML models.

How we built it

At the core of the platform is an MCP server built with Python and FastMCP, exposing a suite of custom forensic tools that our AI agent can call autonomously. We integrated industry-standard services like VirusTotal and Falcon Sandbox alongside several other tools to give the agent real investigative capability, all surfaced through a FastAPI backend.

Wallet Trace was built using FastAPI and the Solana ecosystem, leveraging Solana's speed and accessibility to pull and map transaction data quickly and securely.

For Digital Sketching, we trained custom models from the ground up using PyTorch and Sci-Kit, purpose-built for threat actor classification and linguistic analysis of ransomware communications.

Challenges we ran into

Building the MCP server was our biggest hurdle, none of us had done it before, so there was a steep learning curve getting our custom tooling properly exposed and working reliably with the agent. Integration across the platform also proved more complex than anticipated, getting all three tools communicating cleanly with our backends took significant debugging and iteration.

Solana presented its own challenge entirely. None of us came in with any blockchain experience, so we had to get up to speed quickly on an unfamiliar ecosystem while simultaneously building on top of it under time pressure.

Accomplishments that we're proud of

We're proud that we went from idea to a fully functional, multi-tool investigative platform in a single hackathon. Building an MCP server for the first time and getting it to reliably power a real agentic workflow was a genuine technical milestone for our team.

But what we're most proud of is that we built something that actually solves a real problem. It's a platform rooted in real frustration from real investigative work, and every tool we shipped directly cuts down the time and complexity analysts face every day. That connection between what we built and why we built it is something we're genuinely proud of.

What we learned

This project pushed all of us into unfamiliar territory and we're better for it. We came away with a solid understanding of how MCP servers work and how to design agentic tooling that an AI can use reliably and autonomously. And training our own PyTorch and Sci-Kit models for Digital Sketching deepened our understanding of how custom ML can be applied to real-world security problems rather than textbook ones.

Beyond the technical, we learned a lot about the importance of integration planning early. A lot of our hardest moments came from trying to stitch together well-built individual components that weren't designed to talk to each other from the start, a lesson we'll carry into every project going forward.

What's next for Coroner

The next step is scale. Our goal is to expand Coroner to support full disk images, giving analysts the ability to feed in an entire drive and let the agent work through it autonomously. This would unlock a much deeper level of forensic investigation, handling the kind of data volumes that currently represent some of the most time-consuming work in the field.

Built With

falconsandbox
fastapi
fastmcp
javascript
mcp
python
pytorch
sci-kit
solana
virustotal

Submitted to

HackUNCP 2026
- Winner [MLH] Best Use of Solana

Created by

I worked on the backend tools for our mcp server to use and helped with general workflow.

Hlgreene Greene
I worked on the Solana integrations, and trained the models and worked on integration for the digital sketching. I also worked on the frontend and worked on the pdf intake and export functions, connecting the frontend and backend!

Summer (Simran) Malik
Kento Hopkins
Adithya Chakka