AI Forensic Triage (AIFT) V2.0 - MCP, CLI and API are here and much broader artifact support
Latest
AIFT 2.0
Short version: 2.0 is the release where AIFT stops being just a web app. Same engine, but now you can drive it from the terminal, a REST API, or an AI client — and a lot got broader, safer, and harder to trip over along the way. Even if you don't like the AI-stuff, you can use it as a MCP server for Dissect.
Here's what's new since 1.x.
Headless triage: CLI, REST, and MCP — new
Three new ways to run AIFT without the browser: the aift_cli.py CLI, the /api/automation/ REST API, and a local MCP server (aift_mcp.py). They all share the same parse → analyze → report → audit pipeline as the GUI, and bring evidence discovery, profiles, AI date filtering, cancellation, status polling, report retrieval, JSON resources, and case-local outputs. Script a batch run, wire it into lab tooling, or let an AI assistant find the evidence, kick off a run, watch it, and pull the report.
Multi-machine cases — new
Put a workstation, a server, and a DC in one case — Windows and Linux together, each parsed and analyzed on its own. Then AIFT correlates across them: lateral movement, shared IOCs, who's probably patient zero, and a single timeline for the whole incident.
Wider artifact coverage — expanded
Up to 60 Windows and 44 Linux artifacts, and AIFT now only offers the ones it can actually parse on a given image. New built-in recommended and all profiles, Advanced artifact groups, and parse-only defaults for the big or sensitive stuff — set it once, reuse it across GUI, CLI, API, and MCP. The recommended profile is now a lean, high-signal core (17 Windows + 35 Linux artifacts) tuned for fast, cheap triage — and whenever you use it, AIFT shows a coverage advisory reminding you to add whatever else your case needs.
Safer, more flexible evidence intake — improved
- Local-path mode for huge evidence and Scan Directory to find supported targets inside a folder, on top of the usual upload.
- New support for split images (including lettered EWF segments past
.E99), KAPE/Velociraptor/UAC folders, and ZIP/7z/TAR archives — all extracted with strict path, symlink, collision, and size guards. - Failed evidence replacements now roll back instead of taking your original down with them.
Analysis that keeps your data — improved
- Every row goes to the AI by default. Anything trimmed — date filter, dedup, column projection, row cap — gets logged in the metadata, the report, and the audit trail. No silent sampling.
- Oversized artifacts are now split token-aware on row boundaries and merged, so the AI still sees every row instead of a sample.
- Live streaming progress now works on every provider (Claude, OpenAI, Kimi, local), and you can cancel mid-stream.
- Reports now ship as HTML and a machine-readable JSON export.
Smaller fixes & polish
Cancellation, SSE ownership, image-scoped chat context, zero-record parses, case-local report paths after export-copy failures, custom config paths, and default AI model settings — all tightened up.
Everything that made AIFT trustworthy in 1.x still holds: evidence stays read-only, hashes are computed on intake and re-verified before the report, and every action lands in the audit trail. None of that changed — 2.0 just gives you more ways to get there.
Bottom line: 2.0 gets you oriented fast, then gets out of the way. Everything it finds is a lead to check, not a verdict.