SIFT Sherlock

AI-powered digital forensics investigator that analyzes logs, memory, and network artifacts, challenges its own findings, and generates evidence-backed incident reports.

Comment

SIFT Sentinel AI

Inspiration

One of the biggest challenges in AI-assisted cybersecurity is hallucination. Many AI systems generate convincing incident reports but often make conclusions that are not directly supported by evidence. In real-world incident response, unsupported assumptions can lead to wasted investigation time and incorrect security decisions.

We wanted to build a system that helps analysts trust AI-generated investigations by ensuring findings remain linked to actual evidence. This inspired us to create SIFT Sentinel AI, an evidence-driven cyber investigation assistant that combines AI analysis with automatic validation.

What it does

SIFT Sentinel AI analyzes uploaded security logs and assists analysts during incident investigations.

The platform:

  • Extracts suspicious indicators from logs
  • Creates a traceable evidence trail
  • Generates investigation timelines
  • Produces AI-powered incident reports
  • Validates AI conclusions against available evidence
  • Detects unsupported claims and potential hallucinations
  • Provides investigation confidence scoring

Unlike traditional AI assistants, the system does not blindly trust AI output. Every report is checked by a validation engine that identifies conclusions that cannot be directly supported by the uploaded evidence.

How we built it

The project was built using:

  • Python
  • Streamlit
  • Ollama
  • Gemma 3 1B local language model

The workflow consists of several stages:

  1. Log ingestion
  2. Evidence extraction
  3. Timeline generation
  4. AI investigation report generation
  5. Validation of findings
  6. Confidence scoring
  7. Dashboard presentation

The AI model runs locally through Ollama, allowing the system to operate without paid cloud AI services.

Challenges we ran into

One of the biggest challenges was controlling AI hallucinations. Even when given limited evidence, language models frequently attempted to assume malware infections, system compromise, phishing attacks, or malicious infrastructure without sufficient proof.

Another challenge was balancing speed and accuracy while running entirely on consumer hardware. We optimized the system to work with lightweight local models while still producing useful investigation reports.

Designing a user interface that clearly separated evidence, timelines, AI conclusions, and validation results was also an important challenge.

Accomplishments that we're proud of

  • Built a complete AI-powered investigation workflow
  • Implemented evidence traceability
  • Added automated hallucination detection
  • Created a validator that challenges unsupported AI conclusions
  • Developed a confidence scoring mechanism
  • Achieved fully local AI execution without paid APIs

What we learned

Through this project we learned that trustworthy AI is not only about generating answers but also about validating them. In cybersecurity, transparency and traceability are critical. We discovered that combining AI generation with automated validation creates a much more reliable investigation process than relying on AI output alone.

What's next for SIFT Sentinel AI

Future versions may include:

  • Threat intelligence integration
  • IOC enrichment
  • PDF investigation reports
  • Memory and disk forensic support
  • Network packet analysis
  • Multi-agent investigation workflows
  • Integration with SANS SIFT and MCP-enabled forensic tools

SIFT Sentinel AI demonstrates how AI can assist incident responders while maintaining transparency, accountability, and evidence-driven reasoning.

Built With

  • analysis
  • artificial
  • cybersecurity
  • digital
  • forensics
  • gemma
  • incident
  • intelligence
  • language
  • learning
  • log
  • machine
  • natural
  • ollama
  • processing
  • python
  • response
  • streamlit
Share this project:

Updates