kostasuser01gr/FindEvil-CyberSecurity

GitHub: kostasuser01gr/FindEvil-CyberSecurity

Stars: 0 | Forks: 0

# EvidenceGuard SIFT — Autonomous DFIR Triage [![CI](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/15585955e3210600.svg)](https://github.com/kostasuser01gr/FindEvil-CyberSecurity/actions/workflows/ci.yml) [![Hackathon](https://img.shields.io/badge/🏆-Hackathon_Submission-gold)](#) [![Benchmark](https://img.shields.io/badge/Synthetic_Accuracy-100%2F100-brightgreen)](#) [![Python](https://img.shields.io/badge/Python-3.11+-blue)](https://python.org) [![MCP](https://img.shields.io/badge/Protocol-MCP-purple)](#) [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE) Built for the **SANS SIFT Workstation** environment — designed around the principle that AI in forensics must be **read-only, auditable, and overclaim-resistant**. ## The Problem: The 8-Minute Breakout Modern ransomware operators move laterally within minutes. Human responders spend those critical minutes setting up tools and looking up command flags — not triaging. When LLMs are applied to DFIR without guardrails, they overclaim findings (speculative labels with no corroborating evidence) or worse, risk modifying the evidence under analysis. ## The Solution EvidenceGuard SIFT automates initial triage with strict safety constraints: 1. **Read-Only Enforcement** — Path sandboxing at the MCP server layer. No generic shell access — only structured, allowlisted forensic functions. 2. **Custom MCP Server** — `evidenceguard-mcp` exposes typed triage tools compatible with Claude Code, and any MCP-capable agent. 3. **Evidence Graph** — Findings are only marked `CONFIRMED` when supported by **two independent artifact correlations**. Single-source findings are labeled `INFERENCE`. 4. **Cryptographic Audit Trail** — Every tool call logged with timestamp, iteration number, SHA-256 output hash, and token usage. 5. **Deterministic Reference Runner** — `evidenceguard run` demonstrates the full autonomous sequence: plan → tool execution → correlation → self-correction → integrity validation. Fully reproducible. 6. **Accuracy Benchmark** — Built-in regression harness tests against synthetic ground truth and penalizes speculative overclaiming. ## Architecture Agent / Reference Runner │ ▼ MCP Tool Server ┌─────┬──────┬──────────────┐ │ │ │ │ Filesystem Persistence User Activity └─────┴──────┴──────────────┘ │ Case Data / Mounts Evidence Graph Correlator ├── 1 source → INFERENCE └── 2+ sources → CONFIRMED Output Artifacts ├── IR Report (.md) ├── Execution Trace (.jsonl) └── Accuracy Benchmark ## Getting Started git clone https://github.com/kostasuser01gr/FindEvil-CyberSecurity cd FindEvil-CyberSecurity/evidenceguard-sift pip install -e ".[dev]" Run the reference triage demo: evidenceguard run Run the accuracy benchmark: evidenceguard benchmark See [`evidenceguard-sift/README.md`](evidenceguard-sift/README.md) for full setup, MCP server configuration, and deployment guide. ## Tech Stack - **Python 3.11+** with `pip` / `uv` for dependency management - **MCP (Model Context Protocol)** — custom server exposing forensic tools - **pytest** + synthetic ground truth benchmark suite - Compatible with **Claude Code** and any MCP-capable agent ## License MIT