AIFT - AI Forensic Triage V2.0

June 13, 2026 · View on GitHub

AIFT Logo

AIFT - AI Forensic Triage V2.0

License: AGPL-3.0 Python 3.10–3.13 Latest release

Automated Windows and Linux forensic triage, powered by AI.

AIFT is a GUI, CLI, REST API, and MCP tool that helps DFIR analysts get oriented quickly. Point it at disk images, VM images, forensic archives, or triage packages; AIFT discovers what can be opened, parses artifacts with Dissect, and uses AI to turn parsed data into evidence-linked leads, timelines, correlations, questions, and gaps for the investigator to verify. Go from evidence to actionable results in under an hour.

AIFT has a GUI that even non-DFIR team members can operate. It also has CLI, REST API, and optional MCP modes for repeatable runs, integrations, or AI-client-driven automation.

No Elasticsearch. No Docker. No database. One local Python application.

AIFT is under active development. Contributions, bug reports, workflow feedback, and forensic reality checks are welcome.

AIFT demo

How It Works

Upload Evidence -> Select Artifacts -> Parse -> AI Analysis -> HTML Report
  1. Run the app - a local web interface opens in your browser.
  2. Add evidence - drag and drop an E01, VMDK, VHD, raw image, archive, or triage package; point to a local path for large evidence; or use Scan Directory to find supported targets inside a folder.
  3. Select artifacts - choose parseable Windows or Linux artifacts manually, use recommended selections, or load an artifact profile.
  4. Parse and triage - AIFT parses the selected artifacts, sends the parsed data to your configured AI provider, and produces evidence-linked leads for review.
  5. Review and follow up - download the HTML/JSON triage output, export CSVs, or chat with the results to decide where deeper manual analysis should begin.

Example Triage Outputs

A public NIST CFReDS test image was used to compare how different providers behaved on the same evidence. The prompt included one observed IOC (PsExec) and one not-observed IOC (redpetya.exe) to test whether the model could point to supported leads while avoiding unsupported claims.

These are example triage outputs, not final forensic reports and not universal benchmarks. Cost and runtime will vary by data volume, model configuration, context window, provider pricing, and hardware.

ModelCostRuntimeOutput
Kimi K2 Turbo$0.20~5 minView output
OpenAI GPT-5.2$0.94~8 minView output
Claude Opus 4.6$3.01~20 minView output
Local: qwen3:8b$0~2.5hView output
Local: gpt-oss 120b$0~20 minView output

Multi-System Case: SANS Find Evil Hackathon

The reports above compare providers on a single image. This example is different — a 7-system Windows case (domain controller, file server, two RDS hosts, two workstations, and an internet-facing DMZ FTP server) triaged in one run with a custom Quick Triage profile (17 artifacts). It showcases AIFT's cross-system output: a unified multi-host timeline, shared IOCs and accounts correlated across hosts, lateral-movement paths, a patient-zero assessment, and a fleet-wide scope assessment. Evidence is the public SANS Find Evil Hackathon dataset.

CaseSystemsProfileModelCostRuntimeOutput
SANS Find Evil Hackathon7 (Windows)Quick Triage (17 artifacts)Kimi K2~$10~3hView output

Do you have interesting example reports generated by AIFT? Send them via GitHub or email them to info@FlipForensics.com.

What AIFT Does

  • Automated Dissect parsing. AIFT automatically parses different forensic artifacts using Dissect. Even if AI analysis fails, the analyst can still review all CSVs parsed by Dissect.
  • Browser, CLI, REST API, and MCP. Shared core components keep outputs consistent; CLI, REST API, and MCP use the same automation engine.
  • Windows and Linux coverage. Current prompt-backed registry: 60 Windows artifacts and 44 Linux artifacts, enabled only when parseable for the target.
  • Multi-system triage. Analyze a workstation, server, and domain controller in one case, then review correlated timelines, accounts, IOCs, lateral movement clues, and gaps.
  • Provider choice. Use Claude, OpenAI, Kimi, or a local OpenAI-compatible endpoint such as Ollama, LM Studio, vLLM, or text-generation-webui.
  • Forensic hygiene. Source evidence is opened read-only, hashes are recorded and re-verified where available, and outputs include audit history and AI-assisted disclaimers.

Interfaces

InterfaceEntry PointBest For
GUIpython aift.pyEveryday guided triage, upload/path intake, artifact selection, streaming progress, report chat
CLIpython aift_cli.py ...The full triage pipeline in your terminal. Batch processing, scheduled jobs, CI-style workflows
REST APIPOST /api/automation/runAdvanced internal tooling, SOAR/lab integrations, orchestration on a trusted local server
MCP serverpython aift_mcp.pyAdvanced MCP-capable AI clients that should discover evidence, start runs, poll status, and retrieve triage outputs

All interfaces share the same core pipeline: evidence discovery, hashing, parsing, AI analysis, report generation, JSON export, and audit logging.

Quick Start

Install

Python 3.10 through 3.13 is required (3.14+ is currently unsupported because of upstream dissect.target compatibility). A virtual environment is recommended.

git clone https://github.com/FlipForensics/AIFT.git
cd AIFT
python -m pip install -r requirements.txt

Run the Web UI

python aift.py

AIFT opens the configured local URL (http://127.0.0.1:5000 by default) and creates config/config.yaml on first run. From the browser you can upload evidence, point to a local path, scan a directory, select artifacts or profiles, parse, analyze, chat with the results, and download the triage output.

Configure AI

Configure a provider in the GUI settings or in config/config.yaml (created on first run).

Local models use an OpenAI-compatible endpoint, for example http://localhost:11434/v1.

CLI Automation

Use the CLI when you already know the evidence path and investigation question:

python aift_cli.py \
  --evidence /evidence/disk.E01 \
  --prompt "Investigate suspected unauthorized access. Look for RDP, PsExec, new services, new accounts, and suspicious PowerShell." \
  --profile recommended \
  --output /reports

Useful options:

python aift_cli.py --list-profiles
python aift_cli.py --evidence /evidence/folder --prompt @prompt.txt
python aift_cli.py --evidence /evidence/disk.E01 --prompt "Check malware activity" --date-start 2026-04-01 --date-end 2026-04-15

CLI profile arguments can be a profile name (built-in or saved from the GUI) or a path to a JSON artifact profile.

REST Automation API

Run AIFT locally, then start an asynchronous automation run:

curl -X POST http://127.0.0.1:5000/api/automation/run \
  -H "Content-Type: application/json" \
  -d '{
    "evidence_path": "/evidence/disk.E01",
    "prompt": "Investigate suspected unauthorized access. Look for RDP, PsExec, new services, new accounts, and suspicious PowerShell.",
    "profile_name": "recommended",
    "case_name": "Initial triage"
  }'

Poll status and retrieve completed outputs:

curl http://127.0.0.1:5000/api/automation/run/<run_id>/status
curl -L -o AIFT_report.html http://127.0.0.1:5000/api/automation/run/<run_id>/report/html
curl -L -o AIFT_report.json http://127.0.0.1:5000/api/automation/run/<run_id>/report/json

The automation API accepts JSON path-based runs and multipart uploads. Runs can be listed, cancelled, polled, and retained in memory for a bounded TTL while generated outputs remain on disk.

MCP Server

AIFT includes an optional local Model Context Protocol server for MCP-capable AI clients. It is an adapter over the same headless automation engine used by the CLI and REST API.

python aift_mcp.py

Default transport is stdio, so an MCP client can launch AIFT as a subprocess:

{
  "mcpServers": {
    "aift": {
      "command": "python",
      "args": ["C:\\Tools\\AIFT\\aift_mcp.py"],
      "env": {
        "PYTHONUNBUFFERED": "1"
      }
    }
  }
}

Available MCP tools include:

ToolPurpose
aift_server_infoReturn non-secret server metadata and capabilities
aift_list_profilesList artifact profiles
aift_discover_evidenceDiscover supported evidence targets
aift_start_triageStart a long-running automation run
aift_get_run_statusPoll run status
aift_cancel_runCancel an active run
aift_list_runsList active and recently retained runs
aift_get_report_pathsReturn output paths for completed or failed runs

Local Streamable HTTP is also available for trusted internal integrations:

python aift_mcp.py --transport streamable-http --host 127.0.0.1 --port 8765

Output

AIFT produces working triage outputs for review and follow-up:

  • Self-contained HTML triage report for review, sharing, printing, or archiving.
  • Machine-readable JSON export for API and automation consumers.
  • Parsed CSV bundle for follow-up analysis in other tools.
  • Case-local analysis_results.json used by the UI, chat, and report generator.
  • Append-only audit.jsonl with UTC timestamps for intake, hashing, parsing, analysis, reporting, and warnings.

The HTML and JSON outputs include evidence metadata, hash status, AI-assisted observations, cross-system analysis for multi-image cases, processing notes, investigation gaps, and suggested next steps. Treat them as structured leads for an examiner to validate, refine, and either accept or reject.

Evidence and Artifact Coverage

AIFT uses Dissect for evidence loading and artifact parsing. Supported evidence includes E01/Ex01, raw/dd/img, split raw, VMDK, VHD/VHDX, VDI, QCOW2, OVA/OVF, VM configs, AD1, Dissect acquire formats, KAPE/Velociraptor/UAC-style folders where Dissect can open them, and ZIP/7z/TAR archives with safe extraction fallback.

Artifact coverage is prompt-backed and OS-aware:

PlatformCurrent CountExample Areas
Windows60Event logs, execution, persistence, registry, user activity, browsers, network, Defender, Active Directory, MSSQL, DPAPI-related parse-only outputs
Linux44Authentication, shell history, systemd, cron, SSH, packages, logs, accounts, network, persistence, container and service traces

Only artifacts that are parseable for a target are enabled for that target. Profiles let you keep common selections repeatable across GUI, CLI, API, and MCP workflows.

AI Providers

ProviderWhat You NeedNotes
Anthropic ClaudeAPI key from console.anthropic.comDefault model: claude-opus-4-8
OpenAI / GPTAPI key from platform.openai.comDefault model: gpt-5.5
KimiAPI key from platform.moonshot.aiDefault model: kimi-k2.6; OpenAI-compatible endpoint
Local modelOpenAI-compatible server URL and model nameOllama, LM Studio, vLLM, text-generation-webui

For local models, set Analysis Max Tokens to match the model context window. A minimum of 32K tokens is strongly recommended for useful forensic context.

When artifact data exceeds the context budget, AIFT chunks retained CSV data across multiple AI calls and merges the results instead of silently dropping rows. Deduplication, date filtering, explicit row caps, and other reductions are recorded through processing notes, settings, or audit output so the examiner can see what changed before analysis.

Documentation

Requirements

  • Python 3.10-3.13
  • 8 GB RAM minimum for large artifacts
  • Disk space for parsed CSVs and generated outputs; plan for roughly 2x evidence size during active work
  • Optional AI provider credentials or a local OpenAI-compatible model endpoint

All AIFT dependencies are Python packages installed from requirements.txt, including the MCP SDK used by the optional aift_mcp.py server.

Disclaimer

AIFT output is AI-assisted triage material. It is designed to help an investigator decide where to look first, not to replace examiner judgment or produce a final forensic conclusion. All observations must be independently verified by a qualified forensic examiner before use in any legal, regulatory, or formal investigative proceeding. The AI analyzes only the data provided and may miss relevant artifacts or context.

When using a cloud AI provider, parsed artifact data is sent to external servers for analysis. If evidence is subject to privacy, legal, regulatory, or confidentiality restrictions, consider using a local model.

License

AIFT is open source, released by Flip Forensics under the AGPL-3.0 license.

Contact: info@FlipForensics.com