SIFT-Hermes

What This Is

The DFIR Orchestrator is an autonomous multi-agent digital forensics and incident response system built on Hermes Agent and the SANS SIFT Workstation. It uses a custom MCP (Model Context Protocol) server to architecturally enforce evidence integrity while allowing an AI agent to autonomously triage evidence, spawn specialist agents, generate timelines, scan for IOCs, and produce court-ready reports — all without human intervention.

Key Innovation: Architectural Evidence Integrity

The agent physically cannot modify your evidence because the MCP server doesn't expose destructive operations. There is no mount_readwrite() function. There is no dd_write() function. The command validator uses regex patterns to block destructive flags (dd of=, mount -w, rm /evidence). This is code, not prompt engineering — it remains safe even when the model is adversarial.

Mandatory Capabilities Demonstrated

Self-Correction: The triage agent validates its own output for logical consistency, detects gaps (missing OS profile, timezone mismatches, unknown evidence types), and autonomously re-runs with adjusted parameters. Execution logs show before/after correction traces.
Accuracy Validation: Every finding in the final report cites its source artifact. 53 of 55 claims have artifact-level support. 2 findings are explicitly flagged as inferred. Zero hallucinated claims. See ACCURACY_REPORT.md.
Analytical Reasoning: Output is a structured investigative narrative — not raw tool output dumps. The reporter agent produces chronological attack reconstruction with cross-referenced evidence from disk, registry, memory, EVTX, browser history, and YARA scans.

Solved Demo Case: ROCBA (Stark Research Labs IP Theft)

The agent autonomously solved the ROCBA case — identifying that employee fredr exfiltrated proprietary Stark Research Labs documents via Google Drive, confirming lateral movement through RDP sessions, and producing a complete attack timeline with 25+ corroborated findings.

Supporting Documents

Architecture: ARCHITECTURE.md
Accuracy Report: ACCURACY_REPORT.md
Execution Logs: ROCBA-execution-log.md
Solved Case Report: FINAL_REPORT.md
Agent Skills Library: skills/dfir/ ```

Built With

fredr
hermes
log2timeline
nvidia
plaso
python
regripper
sans-sift
the-sleuth-kit
volatility
yara

Updates

sahilsinh chavda started this project — Jun 15, 2026 09:26 PM EDT

Leave feedback in the comments!

Log in or sign up for Devpost to join the conversation.