Phase 1

Phase 1 — Agentic DFIR (current SANS submission) ⭐

This page is the operator's-eye summary of Phase 1 — what is shipping for SANS FIND EVIL! 2026.

For the full roadmap context (Phases 2 / 3 / 4 too), see Roadmap.

---

In one sentence

Phase 1 is the agentic DFIR layer — the autonomous reasoning loop that takes a single forensic case end-to-end with an architecturally enforced read-only boundary, an audit chain that survives reboot, and a contradiction handler that cannot be smoothed over.

---

What ships in Phase 1

The architectural guarantees (cannot be loosened by any future Phase)

• 35 typed forensic functions on the MCP wire. Anything outside the surface (execute_shell, write_file, mount, eval) raises ToolNotFound regardless of prompt content. Asserted by 6-test bypass suite.
• SHA-256 chained audit log. Every MCP call hashed and chained. Tamper breaks the chain. 50 threads × 20 calls = 1000-entry audit chain verified concurrent-safe (v0.4.1 fix).
• Path sandbox. _safe_resolve rejects ../, null bytes, absolute escapes, paths >1024 chars.
• Contradiction enforcement. dart-corr flags UNRESOLVED between artifacts. Serializer rejects findings that ignore unresolved contradictions.
• Audit-id citation. Every finding cites the audit ID of the call that produced it. Serializer rejects findings without one.

These five guarantees are the load-bearing architecture for all four phases. Phase 2 / 3 / 4 are extensions, not replacements.

The cross-platform forensic surface

OS	Coverage
Windows	EVTX, MFT, AmCache, Prefetch, ShimCache, Shellbags, USB history, Registry, Scheduled Tasks, Kerberos, Windows logons
Linux (v0.4 — 2026-04-30)	auditd, systemd-journal, bash history, /etc/passwd, web access logs, Unix auth logs
macOS (v0.4 — 2026-04-30)	unified log, launchd plists, bash history
Memory + Network	process tree, open sockets, credential signals

11 of 12 MITRE ATT&CK enterprise tactics covered. The 12th — Command and Control — is partial (process-side only; full PCAP-based C2 deferred to Phase 2).

Methodology — three playbook versions

Playbook	Lines	Status
senior-analyst-v1.yaml	128	Quick-demo baseline
senior-analyst-v2.yaml	845	Methodology baseline (Mandiant + Bianco + Diamond + 25 references)
senior-analyst-v3.yaml ⭐	1135	Default. Industrialization release — adds Palantir ADS + MaGMa UCF + TaHiTI hunt cycle + Bianco HMM. 42 references.

See dart-playbook for the deep dive.

Empirical validation

• 20 of 20 tests passing on a fresh clone (Python 3.10 + 3.12 CI matrix)
• 6 dedicated bypass tests asserting ToolNotFound
• Demo run completes in <1 second on SIFT v22.04
• Two reproducible case-study walkthroughs:
  • Case: IP-KVM remote-hands compromise
  • Case: Pass-the-Hash with timestomp

Documentation

• 26-page wiki (this very wiki you are reading)
• The Memex Bet — frames Agentic-DART in the lineage from Vannevar Bush 1945 → Karpathy 2026 → Agentic-DART
• About the name — what DART means and why it expands cleanly
• Threat model — what we defend against and what we explicitly do NOT defend against
• 4-minute SANS demo video (mock-screencast pre-cut shipped; live screencast in flight per #14)

---

What remains for Phase 1 (closing 2026-06-15)

Item	Status	Issue
Live screencast on SANS SIFT v22.04	🟡 In progress	#14
Devpost submission click (T-2 = 2026-06-13)	🟡 Scheduled	#15
Ali Hadi Memory Forensic Challenge #1 accuracy	🟡 In progress	#16
NIST CFReDS Hacking Case re-measure (post T1070.006 tightening)	⏰ TODO	#1, #17
Digital Corpora M57 Patents accuracy	⏰ TODO	#18

After 2026-06-15, Phase 1 is closed. Bug fixes only on main. Architectural changes go to a Phase 2 branch.

---

What Phase 1 explicitly does NOT do

These are intentional omissions, deferred by design — Phase 1 ships a tight, defensible architecture rather than a sprawling feature surface.

Capability	Phase	Why deferred
Live response (kill / quarantine / block)	Phase 3	Read-only Phase 1 cannot grow response without breaking the architectural guarantee. Response gets a separate armed MCP server with a different audit chain and human-in-the-loop confirmation.
Sigma rule synthesis from observed evidence	Phase 2	The dart-synth package is scoped but unimplemented. Tracked in #10.
Cloud DFIR (CloudTrail / GuardDuty)	Phase 2	analyze_aws_cloudtrail is scoped. Tracked in #11.
Volatility-style memory plugin coverage	Phase 2	Memory currently used for process-tree + sockets only. Full memory forensics is a separate engineering project.
Auto-execute YAML playbooks (no Python phase scaffold)	Phase 2	YAML is read by the agent today; execution still goes through hardcoded Python phases. Auto-execution tracked in #34.
Enterprise multi-host orchestration	Phase 3	Phase 1 is single-host offline. Multi-host is a Phase 3 dart-responder concern.

---

Versions shipped during Phase 1

Date	Version	Highlight
2026-04-28	v0.3	Initial 31-function MCP surface, 17 tests passing
2026-04-29	v0.3.1	dart-corr correlation engine GA
2026-04-30	v0.4	Linux + macOS expansion → 35 functions, 20 tests passing
2026-04-30	Playbook v2	845-line methodology release
2026-04-30	v0.4.1	Audit chain race condition fix (threading.Lock())
2026-05-01	Playbook v3 ⭐	Industrialization release — Palantir ADS + MaGMa + TaHiTI + HMM
2026-05-01	Playbook v3.1	Yamato Security external references added (no code import)

---

Where to go next

If you are reading this Phase 1 page and want to understand:

• Why this architecture? → The Memex Bet
• What does the agent actually do? → Architecture deep dive
• How do I run it? → Running on SIFT or Running on macOS
• What case classes does it handle? → dart-playbook
• What does it NOT defend against? → Threat model
• What comes after Phase 1? → Roadmap (Phase 2 / 3 / 4)