What it does SIFT-AutoIR closes the "8-minute gap" where AI attackers beat human responders. Built for FIND EVIL, it ingests disk images on SIFT Workstation, sequences forensic tools like a senior analyst, and self-corrects when findings don't add up. If timeline artifacts conflict, it re-runs with adjusted parameters instead of hallucinating.
How we built it Architecture: Direct Agent Extension on Protocol SIFT via MCP. Exposed SIFT tools as typed, read-only MCP functions. Stack: SIFT Workstation + Protocol SIFT + MCP + Claude Code + Claude 3.5 Sonnet. Key decision: Trade breadth for depth. Focused on disk triage + self-consistency validation vs shallow multi-source parsing. Architectural guardrails beat prompt-only guardrails.
Challenges we hit
- LLM hallucinations on timestamps → Added self-consistency validation module
- Evidence integrity risk → MCP server exposes read-only functions only, original evidence mounted RO
- Traceability requirement → Every finding maps to timestamped tool execution in logs
What we learned "Honesty valued over perfection". Documented false positives score higher than hidden ones. Prompt guardrails fail when models ignore them.
What's next
- Multi-source correlation: disk vs memory discrepancy detection
- Persistent learning loop: agent logs failures to improve across cases
Built With
- claude
- gpt4
- swift
- workstation
Log in or sign up for Devpost to join the conversation.