SIFT-AEGIS (Autonomous Expert Grounded Investigation System)

Inspiration

Digital forensic investigations are slow, manual, and analyst-dependent. A skilled DFIR analyst working the M57-Patents case — a real corporate espionage scenario from the NIST CFReDS dataset — might take hours to correlate memory artifacts, disk evidence, email logs, and browser history into a coherent theory. I asked: what if an AI agent could do this autonomously, with the same rigor as a human analyst, but in under 6 minutes — and prove it with ground-truth benchmarks? SIFT-AEGIS is the answer. It extends Protocol SIFT with an autonomous AI orchestrator, a custom MCP server, and a competing case theory engine — all running on a real SIFT Workstation against real NIST evidence.

What it does

SIFT-AEGIS is a fully autonomous Digital Forensics and Incident Response (DFIR) agent that investigates a real criminal case end-to-end without human intervention. Given a memory image and disk image from the M57-Patents case (NIST CFReDS dataset).

Runs memory forensics — process enumeration, malfind injection detection, network connections, registry persistence, Windows Event Log extraction via Volatility 3.

Runs disk forensics — MFT timeline analysis, email artifact extraction via get_thunderbird_messages, browser history reconstruction via get_firefox_history, document staging detection via get_document_staging_activity.

Evaluates competing theories — simultaneously scores "Insider Threat / Corporate Espionage" vs "Authorized Business Research" vs "Accidental Activity" using evidence weights Self-corrects across 3 iterations — demotes tools that return zero results, promotes findings that get multi-domain corroboration, applies disconfirmation searches to challenge its own conclusions, Produces a verdict — Insider Threat / Corporate Espionage at 99% confidence, with full audit trail and benchmark scores.

Benchmark results against the M57 ground truth:

Disk-Layer Precision: 1.0 (zero false positives on confirmed findings) Disk-Layer Recall: 0.8 (8 of 10 ground truth items found) Disk-Layer F1: 0.8889 Hallucination Rate: 0.0 Total tool calls: 33 Self-corrections applied: 45 Investigation runtime: ~6 minutes

How I built it

The foundation is a custom Model Context Protocol server with 20 read-only, typed forensic tools. Every tool returns a Pydantic-validated DFIREvidence object with SHA256 integrity verification and ForensicCache deduplication.

The write-block is architectural, not prompt-based — the MCP server has no write, delete, or shell-execution tools. The agent physically cannot destroy evidence, modify files, or execute arbitrary commands through the forensic layer. This is Guardrail Layer 1.

OpenClaw operates under a SOUL.md persona file that restricts behavioral scope — the agent is instructed to act only as a forensic investigator and not execute arbitrary system commands or deviate from the investigation protocol. Claude Code similarly operates under CLAUDE.md which defines Protocol SIFT investigation boundaries.

Layer 2 — Prompt-Based Guardrails: SOUL.md and CLAUDE.md These are prompt-based guardrails — they rely on the model following instructions, making them "soft" constraints. The distinction from Layer 1 matters:

Layer 1 (MCP Server — Architectural): The write-block is structural. No write, delete, or shell-execution tools exist in the MCP server. The agent physically cannot modify evidence regardless of instructions.

Layer 2 (SOUL.md / CLAUDE.md — Prompt-based): Behavioral policy restricts the agent's operational scope. Effective under normal operation but relies on model compliance — a motivated adversarial prompt could theoretically bypass it.

MCP tools include:

get_process_list, get_network_connections, get_registry_run_keys, get_malfind, get_evtx_events, get_dll_list (memory layer) get_mft_timeline, get_thunderbird_messages, get_firefox_history, get_document_staging_activity, get_lnk_artifacts (disk layer) start_investigation, get_investigation_status, get_investigation_results (orchestration layer)

Layer 2 — Agentic Orchestrator The orchestrator runs a 3-iteration self-correction loop:

Iteration 1: Memory forensics — enumerate volatile artifacts, form initial hypotheses Iteration 2: Disk forensics — correlate memory findings with physical disk artifacts Iteration 3: Cross-correlation and theory finalization — re-run high-value tools, apply disconfirmation searches, promote confirmed findings

At each iteration, the Competing Case Theory Engine re-scores all active theories based on cumulative evidence. A finding is only promoted to CONFIRMED status after corroboration across multiple tool calls and evidence domains. Dual-Score Methodology, It report two scores transparently:

Disk-Layer Score (primary): Evaluates 8 disk findings against the 10-item M57 ground truth. Precision 1.0, zero false positives. Full-Finding Score (supplementary): Evaluates all 19 findings including memory injection artifacts. These are real findings but have no ground truth entry because the M57 benchmark covers disk artifacts only. Reporting both scores is the honest approach.

Demo Interface OpenClaw connects to SIFT-AEGIS via the MCP server. A single natural language command — "run full investigation" — triggers the full autonomous pipeline.

Challenges I ran into

Volatility 3 output noise: Raw Volatility output contains non-JSON stderr, progress bars, and plugin warnings that corrupted MCP tool responses. Fixed with a stdio wrapper that filters non-JSON lines before passing results to the orchestrator.

Ground truth scope mismatch: The M57 ground truth covers disk artifacts only. Memory injection findings (csrss.exe, winlogon.exe) are real but score as false positives against the ground truth. Solved with dual-score methodology that reports both metrics honestly and documents the reasoning. Self-correction memoization: Early iterations re-ran the same failing tools repeatedly. Fixed with a persistent failure tracker that marks tools as degraded after 2 consecutive zero-result runs and routes to alternative evidence paths.

MCP server on SIFT Workstation: The SIFT Workstation environment required platform-specific binary paths for Volatility 3 and careful import fixes for the MCP server to run cleanly. Autonomous polling: Getting the agent to monitor a long-running investigation autonomously required careful tool return message design — each status response instructs the model on the exact next action.

Solo development under time pressure: SIFT-AEGIS was built solo in approximately 4 days, which meant prioritizing architectural correctness over coverage breadth. Testing against additional DFIR datasets beyond M57-Patents is planned post-submission.

Accomplishments that I'm proud of

Zero false positives on confirmed disk findings — every CONFIRMED finding is backed by real artifact evidence.

Architectural write-block — not a prompt saying "don't delete files" but an MCP server with no write tools by design.

Dual-score transparency — most submissions would hide the full-finding score; I report it and explain the methodology.

Real NIST dataset — not a synthetic scenario but a real forensic case used in professional training Disconfirmation searches — the agent actively tries to disprove its own leading theory before finalizing the verdict.

Full audit trail — every tool call, finding, confidence update, and theory change logged in JSONL with timestamps and token usage.

What I learned

MCP servers are a natural fit for forensic tooling — schema enforcement prevents hallucinated tool output better than prompt instructions.

Competing case theory evaluation is more robust than single-hypothesis confirmation bias — the agent genuinely considered "Authorized Business Research" before rejecting it on evidence.

Persistent learning across investigation runs is valuable but needs documentation — what looks like "fewer tool calls" is actually optimized coverage.

Ground truth benchmarking is hard and honesty about its scope is more impressive than inflated numbers.

Building a solo submission in 4 days forces you to make architectural decisions early — the MCP write-block was the right one

What's next for SIFT-AEGIS

Expand ground truth beyond disk artifacts to include memory and network forensic items Test against additional NIST datasets: Nitroba University Harassment, NIST Data Leakage Case, NIST Hacking Case.

Add network forensics layer (PCAP analysis, DNS reconstruction).

Support multiple case types beyond corporate espionage (ransomware, APT intrusion, insider data theft).

Publish the MCP forensics server as a standalone open-source tool for the DFIR community.

Extend OpenClaw skill for real-time collaborative investigation with human analysts.

Built With

fastmcp
google-gemini
jsonl
m57-patents-dataset
mitre-attack
openclaw
pydantic
python
sift-workstation
volatility-3

Submitted to

FIND EVIL!

Created by

I designed and built SIFT-AEGIS end-to-end as a solo submission — architecture, implementation, benchmarking, and documentation.
Specifically: designed the dual-layer guardrail architecture (custom MCP server + prompt-based persona), built the 8-engine orchestrator with competing case theory evaluation and 3-iteration self-correction loop, implemented 20 typed Pydantic forensic tools wrapping Volatility 3, rebuilt the M57-Patents ground truth from scratch for benchmarking, wrote the dual-score methodology to handle the disk-vs-memory artifact scope mismatch, and integrated OpenClaw as the agentic demo interface via MCP.

Surendra Kumar
Full Stack developer building Scalable mobile platforms. Shipped Gfood, ServeNow & Zesto

Updates

Surendra Kumar started this project — Jun 15, 2026 08:02 AM EDT

Leave feedback in the comments!

Log in or sign up for Devpost to join the conversation.