Speaker:: Rob T. Lee Title:: SIFT-FIND EVIL! I Gave Claude Code R00t on DFIR SIFT Workstation Duration:: 24 min Video:: https://www.youtube.com/watch?v=OsUg3TlAqjQ ## Key Thesis Combining Claude Code with the SANS SIFT Workstation — a comprehensive, battle-tested digital forensics toolkit — and providing it with structured skill files rather than full manual ingestion yields a working AI-orchestrated incident response system capable of reducing a full-day manual DFIR workflow to roughly 14 minutes, with 100% accuracy on a known-compromise test case. ## Synopsis Rob Lee, the creator of the SIFT Workstation (an 18-year open-source DFIR toolkit), described an experiment he ran after SANS Marketing asked him to combine digital forensics with AI for a November talk. The core question: what happens when you install Claude Code on SIFT with root access and point it at real disk and memory images? The setup took about 90 minutes. Lee built a `CLAUDE.md` file functioning as a prime directive/orchestrator, then created per-capability `skills.md` files describing each SIFT tool — what it does, how to invoke it, relevant flags — rather than dumping entire man pages into context. He had Claude Code itself auto-generate these skill files by reading man pages, running tools, capturing flag outputs, and looking up online documentation. The skills files serve two purposes: providing a deterministic execution path and reducing context rot from the start. The demo scenario was "Stark Research Labs" — a fictional multi-system compromise used in SANS 508 training — with a threat actor called Crimson Osprey. Lee issued a single natural language command: `find evil in [image path]` followed by `write comprehensive report in PDF`. The system autonomously ran AMCache analysis, prefetch analysis, event log analysis, timeline generation via Plaso, and memory analysis across a C: drive image. Total time: **14 minutes 27 seconds**. The resulting report included executive summary, attack chain, malware inventory (finding p.exe masquerading in temp), persistence mechanisms, PowerShell transcript evidence, network indicators of compromise, MITRE ATT&CK overlay, and remediation recommendations — all verified accurate by Lee who built the original compromise. A memory-only image run showed 18 minutes end-to-end, slightly longer due to him manually approving continuation prompts (since resolved). Lee noted a key property: once the agent identifies malicious artifacts on system 1, it carries that context to systems 2, 3, and 4, naturally accelerating subsequent analysis. Context rot is the primary known weakness. Lee's mitigation is skill file decomposition — keeping tool knowledge modular rather than monolithic. He acknowledged there is no clean enterprise-scale solution yet for multi-system runs where context rot becomes severe; this is one of two tracks in a hackathon he is launching. Lee announced a **SANS-sponsored hackathon** (April 1 – May 15) with $22,000 in total prizes: $10,000 first place, $7,500 second place, across two tracks — (1) forensic MCP engineering to accelerate the SIFT-Claude integration 10-100x, and (2) solving context rot at enterprise scale. He is providing memory images, disk images, the SIFT workstation, and all skill/CLAUDE.md files open source. ## Key Takeaways - Claude Code + SIFT + structured skill files compresses a full-day DFIR engagement to ~14 minutes with high accuracy - The key architectural decision is skill file decomposition rather than full context ingestion — give the agent procedural knowledge about tools, not the entire manual - Context rot is the primary technical barrier to enterprise-scale deployment across many systems simultaneously - Cross-system context persistence is a genuine advantage: prior-compromise knowledge accelerates analysis of subsequent systems in the same incident - The defensive community's advantage over adversaries is scale — many open-source developers versus small secretive adversarial teams - Human DFIR expertise remains essential to interpret the report; the system is not a replacement, it is an accelerant - The report logs every command executed and every output file, providing audit trail for accuracy verification ## Notable Quotes / Data Points - Audience poll: typical full DFIR engagement from image to final report takes "2-3 days" to "a week sometimes"; Lee demonstrated 14 minutes 27 seconds - 90 minutes of configuration setup before first run - Memory image analysis: 18 minutes end-to-end - Hackathon prize pool: $22,000 total ($10K first, $7.5K second) - Hackathon dates: April 1 – May 15 - "Claudebot was created over a weekend at the end of November" — used as analogy for rapid open-source acceleration - "We need to increase the speed of our instant response capabilities to match the speed of the offensive teams leveraging the same capabilities" - Two days before his November talk, Anthropic published their report on Claude Code being used for offensive operations — "apparently the Chinese had the same idea I did" #unprompted #claude