SentinelSIFT-X

Architecture Diagram
Architecture Diagram

Inspiration

Digital forensic investigations often require analysts to manually inspect multiple evidence sources, correlate findings across artifacts, validate hypotheses, and document conclusions. This process is time-consuming, repetitive, and difficult to scale when dealing with large volumes of data. We wanted to explore whether autonomous AI agents could meaningfully assist investigators by following a structured forensic methodology rather than simply generating answers from prompts. Inspired by the SIFT (SANS Investigative Forensic Toolkit) methodology and modern agentic AI systems, we built SentinelSIFT-X to demonstrate how specialized forensic agents can collaborate, challenge conclusions, verify evidence, and produce investigation-ready findings while maintaining transparency and traceability.

What it does

SentinelSIFT-X is an autonomous Digital Forensics and Incident Response (DFIR) platform that analyzes forensic evidence and produces structured investigation results through a multi-agent workflow.

The platform accepts forensic case data and automatically: 1) Extracts and analyzes evidence from multiple sources 2) Performs memory, disk, log, and Windows artifact analysis 3) Generates investigation plans using SIFT methodology 4) Correlates findings across evidence sources 5) Challenges and verifies conclusions through self-correction agents 6) Produces evidence-backed findings with confidence scores 7) Maintains reasoning traces and execution logs 8) Generates investigation reports through an interactive dashboard

The system is designed to demonstrate autonomous execution, evidence correlation, verification, and transparent reasoning rather than acting as a simple AI chatbot.

How we built it

SentinelSIFT-X uses a hierarchical multi-agent architecture built around specialized forensic agents. Backend We developed the backend using: Python FastAPI LangGraph Pydantic Uvicorn SIFT Workstation The investigation workflow is orchestrated through LangGraph, where each agent performs a dedicated forensic task. The architecture includes: Memory Agent Disk Agent Log Agent Protocol SIFT Agent Windows Artifact Agent Correlation Agent Challenge Agent Contradiction Agent Verifier Agent Tool Selection Agent

Architecture Link : https://drive.google.com/file/d/1HVdZhDTs8SVDHs6qNEFiJpri8nNT5yTq/view?usp=sharing

Instead of allowing a single LLM to perform the entire investigation, we split responsibilities across specialized agents. This improved traceability and allowed us to implement verification stages before findings were surfaced. Self-Correction Pipeline A major design decision was implementing multiple verification layers: Investigation agents generate findings. Correlation Agent links evidence across sources. Challenge Agent attempts to invalidate findings. Contradiction Agent searches for conflicting explanations. Verifier Agent confirms evidence support before final reporting. This creates a measurable self-correction mechanism rather than relying solely on model confidence.

Frontend The dashboard was built using: Next.js React TypeScript Tailwind CSS Recharts The interface provides: Investigation uploads Real-time findings visualization Agent execution monitoring Investigation timelines Benchmarking dashboards Report generation Export functionality

Deployment The system is deployed using: Railway (Backend API) Vercel (Frontend Dashboard) GitHub (Open Source Repository)

Challenges we ran into

Designing reliable autonomous execution One of the biggest challenges was deciding how much autonomy to give the agents. A completely unconstrained agent could produce unsupported conclusions, while excessive restrictions reduced usefulness. We addressed this through a multi-stage verification pipeline. Reducing hallucinated findings Forensic investigations require evidence-backed conclusions. We implemented Challenge, Contradiction, and Verifier agents to reduce unsupported claims and force findings to reference evidence sources. Maintaining evidence integrity We wanted to ensure the investigation process never altered original evidence. The architecture was designed around read-only evidence processing, ensuring findings are generated separately from source data. Frontend-backend synchronization During development we encountered multiple deployment and synchronization issues between the React frontend and FastAPI backend. Ensuring uploaded investigations immediately updated dashboard state without requiring refreshes required several architectural changes to state management. Deployment challenges Deploying a multi-agent backend and dashboard as separate services required handling environment variables, API routing, CORS configuration, and cloud deployment constraints across Railway and Vercel.

Accomplishments that we're proud of

Built a complete autonomous DFIR investigation platform. Designed and implemented a multi-agent forensic workflow. Created a self-correction pipeline using Challenge, Contradiction, and Verifier agents. Developed an interactive investigation dashboard with live reporting. Successfully deployed the system publicly. Implemented structured reasoning and execution logging. Demonstrated evidence-backed investigation generation instead of simple prompt-based responses. Created a reusable architecture that can be extended with additional forensic tools and agents.

What we learned

This project reinforced that building autonomous systems is fundamentally different from building traditional AI applications. We learned that: Specialized agents often outperform monolithic agent designs for complex investigations. Verification and contradiction stages are essential for trustworthy autonomous execution. Evidence traceability is as important as model accuracy. Autonomous systems require architectural guardrails, not just prompt engineering. Transparency through logs and reasoning traces significantly improves trust and debuggability. Multi-agent orchestration introduces new challenges around state management, coordination, and evaluation. We also gained a deeper understanding of digital forensics workflows and how AI can augment investigators without replacing forensic methodology.

What's next for SentinelSIFT-X

Our next goal is to transform SentinelSIFT-X into a fully extensible forensic investigation platform powered by the Model Context Protocol (MCP). By integrating MCP servers, SentinelSIFT-X will be able to securely connect to external forensic tools, threat intelligence sources, evidence repositories, and enterprise security platforms without requiring custom integrations for each tool. Future work includes: MCP integration for forensic tooling and evidence access Secure tool execution through MCP servers Threat intelligence enrichment via MCP-connected data sources Expanded multi-agent collaboration and specialization Enterprise-ready investigation workflows Enhanced auditability and evidence provenance tracking Our long-term vision is to create an autonomous DFIR platform where specialized agents can seamlessly discover, access, and orchestrate forensic capabilities through MCP while maintaining transparency, traceability, and evidence-backed reasoning.

To test SentinelSIFT-X:

Open the demo URL.
Upload one of the provided sample case files from the dataset (e.g., case3.json). {The dataset can be accessed from https://github.com/shefalimodi24-source/SentinelSIFT-X , under data , where json files like case3.json , case2.json etc are present}
Click "Start Investigation".
Review the generated findings, investigation workflow, evidence explorer, and final report.