Skip to content

Documentation

Autonomous agent

The read-only MCP server and the self-correcting agent, and the architectural trust boundaries that keep findings honest.

An autonomous layer over a signed engine#

The autonomous layer, logflip-sift-agent, is a read-only MCP server and a self-correcting agent built on the logflip engine, which it reuses unmodified. The agent finds NTFS timestomping on a disk image, reasons per candidate, and self-corrects, while the signed, never-false-confirm engine makes hallucinated findings structurally impossible. It is MIT licensed and public.

The detection is the deterministic engine work. The model only sequences the verified tools and narrates. Wrapping a tested, signed engine and adding autonomy on top produced a stronger result than asking a model to do the forensics directly.

The read-only surface#

The MCP server exposes exactly six typed forensic tools and nothing else: scan_image, detect_record, inspect_mft, inspect_usnjrnl, verify_leaf, and verify_db. Every source is opened read-only.

Architectural, not a prompt

There is no write, delete, or shell tool, so the agent physically cannot modify or spoliate the evidence. The guarantee is architectural, not a prompt the model could ignore. A test asserts the registered surface is exactly those six tools.

Architectural versus prompt boundaries#

Every guarantee that protects evidence integrity or finding accuracy is architectural: it survives a misbehaving model. The prompt layer only decides ordering and narration.

  • Architectural (holds regardless of the model): no evidence mutation (read-only surface), no false confirmation (the engine four-gate invariant plus the demo-key block), a closed result schema that rejects a smuggled verdict, no runaway loop (a max_iterations cap of 24), and tamper-evident leaves.
  • Prompt-layer (does not survive a misbehaving model): which record to look at next, and the tone of the narrative. Both are bounded by the architectural guards above.

A judge can therefore trust the findings without trusting the model. A misbehaving model degrades the narrative quality, never the evidence integrity or the finding accuracy.

The verdict guard#

After the loop, the structured finding is re-derived solely from the engine result. A verdict guard raises if a claimed verdict ranks higher than the engine verdict, and rejects a confirmation that is not present in the signed leaf. Model narration can never inflate a verdict. A real, passing test proves it: a model that returns the text CONFIRMED EVIL on every record still yields a provisional finding with evil confirmed false.

Bounded by design#

The autonomy is real but hard-capped, and the honest ceiling carries through from the engine:

  • A confirmation is unreachable in the default demo: the demo key cannot produce a confirmed leaf, so the honest ceiling is provisional.
  • Raw-disk edits with no journal trace are anomalies, never confirmations; they cannot be cryptographically inverted and are flagged for manual review.
  • Scope is NTFS filesystem-journal artifacts only. No memory, no network, no non-NTFS logs.
  • The zero-false-positive demo-case results are on the reproducible synthetic case, not yet validated against real acquired images.