{"id":49102336,"url":"https://github.com/calebevans/mulder","last_synced_at":"2026-04-21T00:03:26.677Z","repository":{"id":349943997,"uuid":"1204383230","full_name":"calebevans/mulder","owner":"calebevans","description":null,"archived":false,"fork":false,"pushed_at":"2026-04-19T15:35:33.000Z","size":679,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-19T16:16:27.131Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/calebevans.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-08T00:48:50.000Z","updated_at":"2026-04-19T15:35:54.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/calebevans/mulder","commit_stats":null,"previous_names":["calebevans/mulder"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/calebevans/mulder","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/calebevans%2Fmulder","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/calebevans%2Fmulder/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/calebevans%2Fmulder/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/calebevans%2Fmulder/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/calebevans","download_url":"https://codeload.github.com/calebevans/mulder/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/calebevans%2Fmulder/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32071021,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-20T21:26:33.338Z","status":"ssl_error","status_checked_at":"2026-04-20T21:26:22.081Z","response_time":94,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-04-21T00:03:26.118Z","updated_at":"2026-04-21T00:03:26.668Z","avatar_url":"https://github.com/calebevans.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n\n# mulder\n\n[![PyPI - Version](https://img.shields.io/pypi/v/mulder-mcp)](https://pypi.org/project/mulder-mcp/)\n\n\u003c/div\u003e\n\nMulder is an [MCP](https://modelcontextprotocol.io/) server for digital forensics on [SANS SIFT](https://www.sans.org/tools/sift-workstation/) workstations. It gives an AI agent the ability to create investigation cases, run forensic tools (Volatility 3, Sleuthkit, Plaso, Hayabusa, YARA, and more), index evidence into a searchable SQLite database, submit provenance-tracked findings, and generate investigation reports.\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"docs/photos/report-demo.gif\" alt=\"Mulder report demo\" width=\"800\"\u003e\n\u003c/p\u003e\n\n## Features\n\n- **MCP protocol** for connecting to any compatible AI client (Claude Desktop, Cursor, Claude Code, etc.)\n- **40+ forensic tools** exposed as MCP tool calls covering memory, disk, timeline, Windows event logs, YARA, network capture, mobile, and more\n- **Per-case SQLite database** with FTS5 full-text search across all indexed evidence\n- **Append-only audit log** that records every tool invocation; findings must cite real tool call IDs to prevent hallucinated evidence\n- **Cross-source correlation** to join evidence from different artifact types within a time range\n- **Report generation** producing both Markdown and styled HTML reports with IOC tables, MITRE ATT\u0026CK coverage, and full audit trails\n- **Resource throttling** with configurable memory and CPU limits so extractions do not overwhelm the host\n- **Parallel extraction** with a configurable worker pool and a `run_parallel` meta-tool for batch dispatch\n\n### Example Output\n\nFrom the agent's live terminal during a [NIST insider threat investigation](examples/nist-data-leakage/):\n\n```\n● BOMBSHELL: Informant's Downloads folder contains:\n  - googledrivesync.exe + Zone.Identifier (downloaded from internet!)\n  - icloudsetup.exe + Zone.Identifier (also downloaded from internet!)\n\n  Multi-vector exfiltration: USB drives (×2), CD-R burn, Google Drive cloud\n  sync, and possibly iCloud!\n\n● SMOKING GUN — Browser Search Queries Show Premeditation:\n  search?q=anti-forensic+tools      (n=85)\n  search?q=ccleaner                 (n=65)\n  search?q=cd+burning+method        (n=64)\n  search?q=external+device+forensics (n=65)\n  search?q=DLP+DRM                  (n=90)\n  search?q=e-mail+investigation     (n=88)\n\n  The informant researched how to cover their tracks AND how forensic\n  investigations work. This is deliberate, premeditated data theft.\n\n● EXPLOSIVE FIND: LNK shows network share accessed:\n  \\\\10.11.11.128\\secured_drive\\Secret Project Data\\final\n  on 2015-03-22T14:52:21Z (drive V:).\n\n  This is the server where the secret project files were stored!\n```\n\n14 findings, 9 critical, 34 minutes. Full report with narrative, IOCs, and MITRE ATT\u0026CK mappings generated automatically.\n\nSee [examples/](examples/) for reports from multiple forensic datasets with ground truth comparisons, including runs on both Opus and Sonnet.\n\n## Getting Started\n\n### Docker (recommended)\n\nThe Docker image comes with all forensic tools, dependencies, and [Claude Code](https://docs.anthropic.com/en/docs/agents-and-tools/claude-code/overview) pre-installed. Mulder is already registered as an MCP server in the container, so Claude Code can use it immediately.\n\n```bash\ndocker pull ghcr.io/calebevans/mulder:1.0\n```\n\n#### Running the Container\n\nThe container expects three volume mounts:\n\n| Mount | Purpose |\n|-------|---------|\n| `/evidence` | Your evidence directory (mount read-only with `:ro`) |\n| `/root/.mulder/cases` | Case databases, audit logs, and generated reports (persisted to host) |\n| `/root/.claude` | Claude Code configuration and session data |\n\n**With an Anthropic API key:**\n\n```bash\nmkdir -p ~/mulder-cases\n\ndocker run -it --privileged \\\n  -v /path/to/evidence:/evidence:ro            `# evidence directory (read-only)` \\\n  -v ~/mulder-cases:/root/.mulder/cases        `# case DBs, audit logs, reports` \\\n  -v ~/.claude:/root/.claude                   `# Claude Code config and sessions` \\\n  -e ANTHROPIC_API_KEY=$ANTHROPIC_API_KEY \\\n  ghcr.io/calebevans/mulder:1.0\n```\n\n**With Google Cloud Vertex AI:**\n\n```bash\nmkdir -p ~/mulder-cases\n\ndocker run -it --privileged \\\n  -v /path/to/evidence:/evidence:ro            `# evidence directory (read-only)` \\\n  -v ~/mulder-cases:/root/.mulder/cases        `# case DBs, audit logs, reports` \\\n  -v ~/.claude:/root/.claude                   `# Claude Code config and sessions` \\\n  -e CLAUDE_CODE_USE_VERTEX=1 \\\n  -e CLOUD_ML_REGION=us-east5 \\\n  -e ANTHROPIC_VERTEX_PROJECT_ID=your-gcp-project-id \\\n  -e GOOGLE_APPLICATION_CREDENTIALS=/tmp/gcloud-creds.json \\\n  -v ~/.config/gcloud/application_default_credentials.json:/tmp/gcloud-creds.json:ro `# GCP credentials` \\\n  ghcr.io/calebevans/mulder:1.0\n```\n\n**With Amazon Bedrock:**\n\n```bash\nmkdir -p ~/mulder-cases\n\ndocker run -it --privileged \\\n  -v /path/to/evidence:/evidence:ro            `# evidence directory (read-only)` \\\n  -v ~/mulder-cases:/root/.mulder/cases        `# case DBs, audit logs, reports` \\\n  -v ~/.claude:/root/.claude                   `# Claude Code config and sessions` \\\n  -e CLAUDE_CODE_USE_BEDROCK=1 \\\n  -e AWS_REGION=us-east-1 \\\n  -e AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \\\n  -e AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY \\\n  ghcr.io/calebevans/mulder:1.0\n```\n\nThe container starts Claude Code directly. Once inside, tell it to scan your evidence and begin the investigation. Case databases and reports are written to the mounted `~/mulder-cases` directory on the host.\n\n### Bare-Metal Install\n\nThe `install.sh` script handles a full installation on Debian/Ubuntu: Python 3.12, all forensic tool dependencies, the `mulder` Python package, and the MCP client configuration for Claude Code. It detects existing SIFT installations and skips packages that are already present.\n\n```bash\nsudo ./install.sh\n```\n\n### Python Package Only\n\nIf you already have the forensic tools installed on your system (e.g. on an existing SIFT workstation), you can install just the Python package:\n\n```bash\nuv pip install mulder-mcp\n\n# or with pip\npip install mulder-mcp\n```\n\n\u003e **Note:** The Python package provides the `mulder` CLI and MCP server, but the forensic tools it wraps (vol3, fls, log2timeline, hayabusa, yara, etc.) must be installed separately. Use `install.sh` or Docker to get everything in one step.\n\n## CLI Reference\n\n### `mulder serve`\n\nStarts the MCP server. Normally you do not need to run this manually; the MCP client configuration handles it.\n\n| Option | Default | Description |\n|--------|---------|-------------|\n| `--case-id` | None | Pre-load an existing case on startup |\n| `--db-dir` | `~/.mulder/cases` | Directory for per-case databases and audit logs |\n| `--transport` | `stdio` | MCP transport (`stdio` or `streamable-http`) |\n| `--workers` | `8` | Number of parallel extraction workers |\n| `--mem-limit` | `90` | Memory usage % threshold; tools wait when exceeded (0 to disable) |\n| `--cpu-limit` | `90` | CPU usage % threshold; tools wait when exceeded (0 to disable) |\n\n### `mulder report \u003ccase_id\u003e`\n\nGenerates reports offline without starting the MCP server.\n\n| Option | Default | Description |\n|--------|---------|-------------|\n| `--db-dir` | `~/.mulder/cases` | Directory containing case databases |\n\nReads `{case_id}.db` and `{case_id}.audit.jsonl` from the database directory and writes `{case_id}.report.md` and `{case_id}.report.html` alongside them.\n\n## Supported Forensic Tools\n\n| Tool | Description |\n|------|-------------|\n| [Volatility 3](https://github.com/volatilityfoundation/volatility3) | Memory forensics framework for analyzing RAM dumps |\n| [Sleuthkit](https://www.sleuthkit.org/) | Disk image analysis, filesystem listing, file extraction, and MAC timelines |\n| [Plaso](https://github.com/log2timeline/plaso) | Super-timeline generation from disk images and log artifacts |\n| [Hayabusa](https://github.com/Yamato-Security/hayabusa) | Windows event log threat hunting with Sigma rules |\n| [YARA](https://virustotal.github.io/yara/) | Pattern matching across files, memory dumps, and Volatility output |\n| [bulk_extractor](https://github.com/simsong/bulk_extractor) | Carves emails, URLs, credit card numbers, and other IOCs from raw data |\n| [Eric Zimmerman tools](https://ericzimmerman.github.io/) | Windows artifact parsers (Prefetch, Amcache, ShimCache, Jump Lists, LNK, Shellbags, SRUM, MFT, USN Journal) |\n| [RegRipper](https://github.com/keydet89/RegRipper3.0) | Windows registry hive parsing |\n| [python-evtx](https://github.com/williballenthin/python-evtx) | Windows EVTX event log parsing and indexing |\n| [foremost](https://foremost.sourceforge.net/) | File carving from disk images |\n| [Scalpel](https://github.com/sleuthkit/scalpel) | File carving and recovery |\n| [PhotoRec](https://www.cgsecurity.org/wiki/PhotoRec) | File recovery from disk images |\n| [Binwalk](https://github.com/ReFirmLabs/binwalk) | Firmware and embedded file analysis |\n| [ClamAV](https://www.clamav.net/) | Malware scanning |\n| [ExifTool](https://exiftool.org/) | File metadata extraction |\n| [ssdeep](https://ssdeep-project.github.io/ssdeep/) | Fuzzy hashing for file similarity |\n| [hashdeep](https://github.com/jessek/hashdeep) | Recursive cryptographic hashing |\n| [tshark](https://www.wireshark.org/docs/man-pages/tshark.html) | Network capture (PCAP) analysis |\n| [chkrootkit](http://www.chkrootkit.org/) | Rootkit detection |\n| [steghide](https://steghide.sourceforge.net/) / stegdetect | Steganography detection and extraction |\n| [strings](https://man7.org/linux/man-pages/man1/strings.1.html) | Extract printable strings from binary files |\n| [pasco](https://www.mcafee.com/enterprise/en-us/downloads/free-tools.html) | Internet Explorer history parsing |\n| [Hindsight](https://github.com/obsidianforensics/hindsight) | Chrome/Chromium browser forensics (history, cookies, downloads, cache) |\n| [MVT](https://github.com/mvt-project/mvt) | Mobile Verification Toolkit for spyware detection (Pegasus, Predator) |\n| [radare2](https://github.com/radareorg/radare2) | Binary analysis and reverse engineering for malware triage |\n| [dislocker](https://github.com/Aorimn/dislocker) / [libbde](https://github.com/libyal/libbde) | BitLocker volume decryption and metadata extraction |\n| [libfvde](https://github.com/libyal/libfvde) | Apple FileVault encryption metadata extraction |\n| [tcpflow](https://github.com/simsong/tcpflow) / [tcpxtract](https://tcpxtract.sourceforge.net/) | TCP stream reconstruction and file extraction from PCAPs |\n\n## Report Generation\n\nMulder generates two report formats from the case database and audit log:\n\n- **Markdown** (`{case_id}.report.md`) for plain-text review and version control\n- **HTML** (`{case_id}.report.html`) a self-contained styled page with dark/light theme, sidebar navigation, and interactive layout\n\nBoth formats include an executive summary, severity overview, evidence integrity hashes, attack timeline, detailed findings with MITRE ATT\u0026CK mappings, IOC tables (network, file, email), audit metrics, and a sources appendix.\n\nReports can be generated in two ways:\n\n1. **MCP tool**: call `finalize_report` while a case is loaded in the server\n2. **CLI**: run `mulder report \u003ccase_id\u003e` offline without starting the server\n\n## Architecture\n\nSee [docs/architecture.md](docs/architecture.md) for a detailed technical overview of the server internals, data model, tool execution model, and evidence pipeline.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcalebevans%2Fmulder","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcalebevans%2Fmulder","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcalebevans%2Fmulder/lists"}