Skip to content

allisterb/Camel

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

117 Commits
cases
cases
 
 
docs
docs
 
 
ext
ext
 
 
src
src
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
.gitmodules
.gitmodules
 
 
CLAUDE.md
CLAUDE.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
build
build
 
 
build.cmd
build.cmd
 
 
camel
camel
 
 
camel.cmd
camel.cmd
 
 

Repository files navigation

Camel

About

The Camel project is a code-mode MCP server that allows LLMs to safely generate and execute JavaScript code that calls command-line forensic tools, performs analysis, and employs traditional machine learning algorithms and probabilistic reasoning using SIFT workstation, for autonomous DFIR investigations. 

Demo video

https://youtu.be/PkPXGt_iNX8

Requirements

  • A SIFT workstation instance either locally installed or remotely accessible over SSH
  • .NET 9
  • Claude Desktop or Claude Code

Getting started

  1. If you want to build from source: git clone https://github.com/allisterb/Camel --recurse.

  2. Either download the latest Windows or Linux release to your computer or build Camel by running the build script from the repo folder.

  3. Edit the appsettings.json file in your Camel runtime folder (src/Camel.CLI/bin/Release/net9.0 if building or just the release archive folder) and set your SIFT environment preference: Local/Ssh. If using Ssh enter the login details for the SIFT workstation.

  4. From the Camel folder run [./]camel create-case <case_dir> <case_id> where <case_dir> is the path to your cases directory and <case_id> is your case id. Camel will create a case directory at the specified path with the CLAUDE.md prompt file and other supporting files and directories.

  5. Edit <case_dir>/<case_id>/CLAUDE.md and fill in the Case description and Evidence sections with your case details and the filepaths to the evidence files on the SIFT workstation.

  6. Start a new Claude session in <case_dir>/<case_id>.

  7. Tell the agent to begin the investigation. The agent will first check if the required evidence files are present. If you provide hashes in the CLAUDE.md it will ask you if you want to verify the evidence files first. After it confirms the evidence, the investigation will proceed autonomously.

  8. As the investigation proceeds audit log data is written to the logs directory in CLEF format. When the investigation completes the results will be written to the reports directory. Claude chat logs will also be copied to the logs directory. You can double-click on report.html in reports to view an interactive HTML interface to the results and log data when the investigation completes.

About

A 'code-mode' MCP server that allows LLMs to safely generate and execute JavaScript code that calls command-line forensic tools, performs analysis, and employs traditional machine learning algorithms and probabilistic reasoning using SIFT workstation, for autonomous DFIR investigations.

Topics

dfir-automation sift-workstation

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

2 tags

Packages

 
 
 

Contributors

Languages