Running on SIFT

Running on the SANS SIFT Workstation

5-minute setup guide for getting dart-agent running on a SIFT VM.

---

Why SIFT is the primary target

SANS SIFT Workstation v22.04 is the de-facto open-source DFIR distribution, used by every SANS FOR-class student and most working analysts. It ships with:

• The forensic toolchain Agentic-DART expects (Volatility, Plaso, Eric Zimmerman tools, hindsight)
• Mounted-evidence conventions (/mnt/case-evidence, read-only by default)
• Python 3.10+

The hackathon submission is primarily validated on SIFT v22.04. Other Linux distros work; this is just the most reproducible path.

---

Step 1 — Get SIFT

If you don't have it: https://www.sans.org/tools/sift-workstation/ — free, ~10 GB VM image. VMware, VirtualBox, and Parallels images all work.

Default user: sansforensics (SIFT) — we'll create / use analyst for Agentic-DART so the prompt matches the documentation:

sudo adduser analyst
sudo usermod -aG sudo analyst
su - analyst

(Or just stay as sansforensics. The docs reference analyst@siftworkstation for visual consistency, not as a hard requirement.)

---

Step 2 — Install Agentic-DART

cd ~
git clone https://github.com/Juwon1405/agentic-dart.git
cd agentic-dart
bash scripts/install.sh

install.sh pip-installs the three Python packages in editable mode. No virtualenv is required, but creating one is good hygiene on shared SIFT VMs:

python3 -m venv .venv
source .venv/bin/activate
bash scripts/install.sh

Verify:

python3 -c "from dart_mcp import list_tools; print(len(list_tools()))"
# → 35

---

Step 3 — Run the bundled demo

bash examples/demo-run.sh

Expected output:

[dart-agent] iterations: 5
[dart-agent] findings: 2
[dart-agent] audit chain: chain verified, tail=1e995b6afc6a6660...
[demo] PASS — "ToolNotFound: 'execute_shell' is not exposed by dart-mcp"

---

Step 4 — Run the full test suite

export PYTHONPATH="$PWD/dart_audit/src:$PWD/dart_mcp/src:$PWD/dart_agent/src"
export DART_EVIDENCE_ROOT="$PWD/examples/sample-evidence"

for t in tests/test_audit_chain.py tests/test_mcp_surface.py tests/test_mcp_bypass.py tests/test_agent_self_correction.py tests/test_live_mcp.py; do
    python3 "$t"
done

All 17 assertions should print OK.

---

Step 5 — Run against your own SIFT case

Mount your evidence read-only (the operator workflow):

sudo mkdir -p /mnt/case-evidence
sudo mount -o ro,loop /path/to/case.dd /mnt/case-evidence

export DART_EVIDENCE_ROOT=/mnt/case-evidence
python3 -m dart_agent --case YOUR-CASE-ID --max-iterations 25

Or for an extracted directory:

sudo mount --bind -o ro /path/to/extracted /mnt/case-evidence

Verify the read-only:

touch /mnt/case-evidence/test 2>&1
# Should fail with: "Read-only file system"

If the touch succeeds, the architectural guarantee does not hold for this run — fix the mount before proceeding.

---

Step 6 — Look at what came out

reports/<case>.md           Final hypothesis + MITRE chain + citations
audit/<case>.jsonl          SHA-256 chained step-by-step trace
dart-corr/<case>.duckdb     Correlation database for post-hoc queries

Verify the audit chain:

python3 -m dart_audit verify audit/<case>.jsonl
# → chain verified: 47 entries, tail=4f7a9c1b3e8d2046...

Trace a finding back to evidence:

python3 -m dart_audit trace audit/<case>.jsonl F-013

---

Common SIFT-specific gotchas

Symptom	Fix
ImportError: dart_mcp	export PYTHONPATH="$PWD/dart_audit/src:$PWD/dart_mcp/src:$PWD/dart_agent/src"
Slow MFT correlation	SIFT VMs default to 4 GB RAM. Bump to 8 GB for >2M-row MFTs.
EvidenceRootEscape error	One of your tool args has a .. or absolute path. Check the call inputs.
Verify says mismatch	Audit log was edited. Re-run; never edit audit.jsonl by hand.

---

See also

• Operator guide — distro-agnostic version of this guide
• Running on macOS — for analysts on M-series Macs
• Architecture deep dive