Home
An autonomous DFIR agent that thinks like a senior analyst. Architecture-first, not prompt-first.
This wiki is the long-form companion to the project README. The README is for landing — get a feel for the project in 30 seconds. The wiki is for engineers who want to understand the why, the how, and the parts that don't fit on a single page.
- The Memex bet ⭐ — the bet underneath this whole project — why DFIR reasoning belongs in architecture, not in prompts
- About the name — what DART means and the four-phase scope expansion
- Architecture-first vs prompt-first — the central design claim
- Threat model — what Agentic-DART defends against, and what it does NOT
- dart-mcp — the typed surface — the the typed forensic function surface, schema, bypass tests
- SIFT adapter layer ⭐ NEW — 25 typed wrappers around Volatility 3, MFTECmd, EvtxECmd, PECmd, RECmd, AmcacheParser, YARA, Plaso — Custom MCP Server pattern alignment for FIND EVIL!
- dart-agent — the senior-analyst loop — iteration / hypothesis / confidence
-
dart-corr — cross-artifact correlation — DuckDB joins and
UNRESOLVEDflagging - dart-audit — SHA-256 chained log — tamper-evident audit trail
- dart-playbook — sequencing rules — YAML-driven analyst heuristics
- Running on the SANS SIFT Workstation — install, mount, run
- Running on macOS — lightweight dev mode
- Live mode (real Claude API + MCP stdio) — from Claude Code
- Reproducible accuracy measurement — re-run every dataset
The repository ships 11 cases / 99 ground-truth findings across two layers (8 Layer-1 synthetic, 3 Layer-2 external benchmarks). See the examples/case-studies/ directory for the full library; recommended judge walkthroughs:
- PtH with timestomp pre-existence — headline self-correction walkthrough
- IP-KVM remote-hands insider — the bundled detection example
- case-11 supply-chain → ADCS ESC8 → DCSync → Golden Ticket ⭐ NEW (v0.7.0) — 12 findings reproduced deterministically by 7 MCP functions on bundled evidence; byte-stable expected output locked in the case README
- How to write a new case study
- Phase 1 — Agentic DFIR ⭐ — current focus, ~95% complete. SANS FIND EVIL! 2026 submission — architecturally complete, empirically validated. Closes 2026-06-15.
- Phase 2 — Detection engineering — ~Q3 2026. Sigma synthesis, coverage-gap reasoning, auto-execute YAML playbooks
- Phase 3 — Agentic SOC — ~Q1 2027. Supervised triage, enrichment, response orchestration with human-in-the-loop
- Phase 4 — Broader agentic security — 2027+. Vuln management, compliance, adversary emulation
- Glossary — DFIR + ATT&CK + project-specific terminology
- FAQ — common questions from judges, contributors, and skeptics
- Comparison with adjacent tools — Velociraptor, KAPE, Plaso, Hayabusa
| What you need | Where to look |
|---|---|
| Try it in 30 seconds | README → Quick start |
| Architecture diagram | dart-architecture.png |
| Sample run screenshots | docs/screenshots/ |
| Hackathon submission | SANS FIND EVIL! 2026 — Devpost |
| Full case-study walkthrough | docs/case-pth-timestomp.md |
| Source code | github.com/Juwon1405/agentic-dart |
The README has to be readable in two minutes. That means it can't go deep on:
- the threat model (what attacks are in scope, what aren't)
- the decision log (why the MCP surface is the fixed shape it is, and how it expands additively without weakening the boundary)
- the comparison with other DFIR tools
- the per-component design notes that engineers actually need to extend the project
This wiki is where that long-form writing lives.
Wiki maintained alongside the main repo. Same MIT license.