Detect NTFS timestomping safely for automated forensic triage without modifying evidence.
The materials indicate an open-source, no-secret, no-declared-endpoint read-only forensic MCP tool with no obvious high-risk red flags. Since it does execute locally and has sparse documentation with low community adoption, it should be used in a constrained environment and verified before deployment.
The materials explicitly state that no keys or environment variables are required, and there is no request for API tokens, account passwords, or other sensitive credentials, so credential exposure and abuse risk appears low.
The materials declare no remote endpoints, and the README does not show any external service connections or data uploads; based on available information, there is no clear data egress path. However, due to sparse documentation, runtime network behavior should still be verified during deployment.
The objective checks indicate that the tool executes code; this is a normal MCP capability and warrants caution by default. The materials describe it as a read-only detection tool and do not show obviously excessive system privileges relative to its function, but it still requires running third-party code locally.
Its stated function is NTFS timestamp forensic detection, which typically requires reading local filesystem metadata or related evidence data; this is broadly consistent with its purpose. The materials emphasize 'read-only' and 'no evidence modification,' with no explicit signs of write access or overbroad authorization, but README and permission-boundary details are lacking.
Positive factors include a public GitHub repository, open-source code, and an MIT license, all of which improve auditability. Points of caution are that it comes from a third-party registry, has 0 stars, unknown maintenance status, and missing documentation, which reduce verifiability and maturity, leaving supply-chain confidence moderate.
Copy the install command and let the AI configure it · recommended for beginners
No copy-paste install info for "sift-mcp" yet — see the docs or source repo.
Use sift-mcp to perform a read-only inspection of NTFS metadata on a target Windows disk, identify possible timestomping indicators, and summarize results by file path, anomaly type, and risk level.
A risk-ranked list of suspicious files with explanations of each timestamp anomaly.
Run an automated triage on the current evidence image with sift-mcp using read-only analysis only, find files with potentially altered timestamps, and generate a summary report for analyst review.
A forensic triage report with key findings, priority files, and recommended follow-up checks.
Explain how sift-mcp ensures read-only access when detecting NTFS timestomping, and list the checks it can perform without modifying evidence.
An explanation of the read-only safeguards and a list of safely supported detection checks.
Perform read-only disk image triage with self-verifying, tamper-resistant forensic analysis.
Turn AI into an autonomous DFIR analyst on SANS SIFT.
Use Sift for real-time fraud scoring, decisions, and event ingestion.
Analyze disk images with AI through MCP for fast forensic investigation.
Wrap SANS SIFT forensic tools for structured incident response and threat analysis.
Analyze PCAPs offline to extract streams, detect threats, and find leaked credentials.