playbooks

home / mcp / mcp forensic toolkit mcp server

MCP Forensic Toolkit MCP Server

Secure AI-enabled digital forensics toolkit built with Model Context Protocol

Installation
Add the following to your MCP client configuration file.

Configuration

View docs
{
  "mcpServers": {
    "axdithyaxo-mcp-forensic-toolkit": {
      "url": "http://127.0.0.1:6274",
      "headers": {
        "SAFE_BASE": "YOUR_SAFE_BASE_PATH"
      }
    }
  }
}

You run a local MCP server for forensic analysis, exposing structured tools to triage logs, verify file integrity, and generate audit-grade reports. This setup lets you operate securely within a controlled environment, integrate with MCP clients, and perform automated investigations using precise, semantically meaningful actions.

How to use

To start analyzing, launch the MCP server with a local client and connect to the provided endpoint. You can run tools to scan system logs, extract file metadata, and correlate file changes with log events. Use the same client to execute guided prompts for forensic reasoning and to review structured outputs.

Typical usage patterns include: triaging logs for specific keywords, hashing directories to assess integrity, and generating forensic reports that summarize correlations between file activity and log entries. Always validate that your SAFE_BASE restrictions are correctly configured so all operations remain within the intended workspace.

How to install

Prerequisites you need before installing and running the server:

• Python 3.10 or newer

• Poetry or pip for dependency management

• MCP CLI installed via pip: pip install modelcontext

• A configured environment variable file with SAFE_BASE defined

Step-by-step installation flow using Poetry (recommended):

# Clone the toolkit repository
git clone https://github.com/axdithyaxo/mcp-forensic-toolkit.git
cd mcp-forensic-toolkit

# Install Poetry if not present
curl -sSL https://install.python-poetry.org | python3 -

# Install dependencies and create a virtual environment
poetry install

# Activate the Poetry shell
poetry shell

# Copy and configure environment variables
cp .env.example .env
# Edit .env and set your SAFE_BASE, e.g. /Users/yourname/Desktop

Step-by-step installation flow using Python venv and pip (alternative):

# Clone the toolkit repository
git clone https://github.com/axdithyaxo/mcp-forensic-toolkit.git
cd mcp-forensic-toolkit

# Create and activate a virtual environment
python -m venv .venv
source .venv/bin/activate  # On Windows use `.venv\Scripts\activate`

# Install dependencies
pip install -r requirements.txt

# Copy and configure environment variables
cp .env.example .env
# Edit .env and set your SAFE_BASE, e.g. /Users/yourname/Desktop

Notes for Windows users: use the Windows activation command instead of the UNIX one shown above.

Additional sections

Start the server with the MCP CLI from the project workspace once dependencies are installed. You will connect to the local endpoint to perform tooling tasks and view results.

Access via MCP Inspector: you can reach the inspector interface at http://127.0.0.1:6274 to run tools like scan_syslog, file_metadata, hash_directory, correlate_file_and_logs, and generate_forensic_report. The interface presents structured outputs that are suitable for further analysis or interpretation by an LLM.

Environment variables you should configure include SAFE_BASE, which restricts all file operations to a defined workspace path.

Security notes: all tools validate paths against SAFE_BASE, system logs are read-only, and the CLI is designed to minimize unsafe globbing or traversal while handling permissions gracefully.

Tools description: the server exposes capabilities for structured log triage, file metadata extraction and hashing, recursive directory integrity checks, correlation between files and logs, and generation of forensic reports.

Example workflows you can follow include inspecting a file, running generation prompts to analyze results, and reviewing outputs in the MCP Inspector or via prompts to guide interpretation.

Notes on configuration and troubleshooting

Ensure SAFE_BASE is correctly set in your .env file and that the MCP CLI environment has access to the workspace you intend to analyze.

If you encounter connectivity issues, verify that the local MCP HTTP endpoint is listening on http://127.0.0.1:6274 and that the local firewall permits connections to that port.

For troubleshooting, run unit tests or targeted CLI demonstrations to verify the server behavior and the integrity of the tooling prompts.

Available tools

scan_syslog

Performs keyword-based scanning of system logs to identify relevant events and warnings.

file_metadata

Extracts metadata from files and computes SHA-256 hashes to verify integrity.

hash_directory

Recursively hashes directories to detect changes and maintain integrity over time.

correlate_file_and_logs

Links file modifications to corresponding log events to establish forensic relationships.

generate_forensic_report

Produces human-readable reports summarizing findings and correlations for investigations.