MCP Forensic Toolkit

v1.0.0Securitystable

A secure, AI-ready local server that provides digital forensics tools for analyzing logs, verifying file integrity, and generating audit-grade reports.

mcp-forensic-toolkitmcpai-integration
Share:
23
Stars
0
Downloads
0
Weekly
0/5

What is MCP Forensic Toolkit?

MCP Forensic Toolkit is a Model Context Protocol (MCP) server that allows AI assistants like Claude, Cursor, and VS Code to secure, ai-ready local server that provides digital forensics tools for analyzing logs, verifying file integrity, and generating audit-grade reports.

A secure, AI-ready local server that provides digital forensics tools for analyzing logs, verifying file integrity, and generating audit-grade reports.

This server falls under the Security and Monitoring & Observability categories on MCPgee, the world's largest MCP server directory with 33,000+ servers.

Features

  • A secure, AI-ready local server that provides digital forens

Use Cases

Analyze logs and verify file integrity for digital forensics.
Generate audit-grade reports for security investigations.
axdithyaxo

Maintainer

LicenseMIT
Languagepython
Versionv1.0.0
UpdatedApr 23, 2026
Statushealthy
Maintenanceactive

Works with

ClaudeOpenAIwindowsmacoslinux

Installation

Manual Installation

npx mcp-forensic-toolkit

Configuration

Configuration Details

Config File

claude_desktop_config.json

Performance

Response Metrics

Response Time< 200ms
ThroughputMedium

Resource Usage

Memory UsageLow
CPU UsageLow

How to Set Up and Use MCP Forensic Toolkit

MCP Forensic Toolkit is a secure, locally-running MCP server that gives AI assistants five specialised digital forensics tools: log scanning by keyword, file metadata and SHA-256 integrity hashing, recursive directory hashing, log-to-file event correlation, and audit-grade report generation. All file operations are sandboxed to a configurable base directory via the SAFE_BASE environment variable, making it suitable for incident response scenarios where you need to investigate a specific folder tree without risk of the AI accessing the broader filesystem.

Prerequisites

  • Python 3.9 or later with pip
  • Poetry (recommended) or a virtual environment with pip
  • Git to clone the repository
  • An MCP-compatible client such as Claude Desktop or the MCP Inspector
  • A directory you want to investigate (set as SAFE_BASE)
1

Clone the repository

The toolkit is not published to PyPI, so clone the source repository directly.

git clone https://github.com/axdithyaxo/mcp-forensic-toolkit.git
cd mcp-forensic-toolkit
2

Install dependencies with Poetry

Poetry creates an isolated virtual environment and installs all dependencies in one step.

curl -sSL https://install.python-poetry.org | python3 -
poetry install
3

Configure the safe base directory

Copy the example environment file and set SAFE_BASE to the directory you want the toolkit to be allowed to read. All tool calls that reference paths outside this directory will be rejected.

cp .env.example .env
# Edit .env and set:
# SAFE_BASE=/Users/yourname/Desktop/investigation
4

Start the MCP server in development mode

Launch the server using the mcp dev command. The server listens on http://127.0.0.1:6274 and is ready for MCP client connections.

poetry shell
mcp dev mcp_forensic_toolkit/server.py
5

Add to Claude Desktop config

For production use with Claude Desktop, register the server so it starts automatically. Use the absolute path to the Poetry-managed Python interpreter.

{
  "mcpServers": {
    "mcp-forensic-toolkit": {
      "command": "poetry",
      "args": ["run", "python", "-m", "mcp_forensic_toolkit.server"],
      "cwd": "/absolute/path/to/mcp-forensic-toolkit",
      "env": {
        "SAFE_BASE": "/Users/yourname/Desktop/investigation"
      }
    }
  }
}

MCP Forensic Toolkit Examples

Client configuration

Claude Desktop config entry pointing to the forensic toolkit with SAFE_BASE scoped to an investigation folder.

{
  "mcpServers": {
    "mcp-forensic-toolkit": {
      "command": "poetry",
      "args": ["run", "python", "-m", "mcp_forensic_toolkit.server"],
      "cwd": "/Users/yourname/mcp-forensic-toolkit",
      "env": {
        "SAFE_BASE": "/Users/yourname/Desktop/investigation"
      }
    }
  }
}

Prompts to try

Example investigation prompts to use with Claude once the server is connected.

- "Scan the system log at /var/log/syslog for the keyword 'error' and summarise the findings"
- "Get the metadata and SHA-256 hash of the file suspicious_binary.exe and tell me if anything looks unusual"
- "Hash every file in the /investigation/uploads directory and flag any that look tampered with"
- "Correlate the modification time of config.php with nearby entries in access.log"
- "Generate an audit-grade forensic report for the files in the /investigation folder"

Troubleshooting MCP Forensic Toolkit

Tool calls fail with 'path not allowed' or 'outside SAFE_BASE'

All file paths passed to the tools must be inside the directory set in SAFE_BASE. Double-check the value in your .env file uses an absolute path, and confirm the files you are investigating are actually inside that directory.

poetry command not found when Claude Desktop tries to start the server

Claude Desktop may not inherit your shell PATH. Use the full absolute path to the poetry binary in the command field, e.g. /Users/yourname/.local/bin/poetry, or switch to the pip+venv installation method and point command to the absolute path of the venv Python interpreter.

mcp dev starts but Claude Desktop shows the server as disconnected

The mcp dev command is for browser-based inspection (MCP Inspector at port 6274) and does not expose a stdio transport. For Claude Desktop, use the Poetry run command in the config as shown in the examples above.

Frequently Asked Questions about MCP Forensic Toolkit

What is MCP Forensic Toolkit?

MCP Forensic Toolkit is a Model Context Protocol (MCP) server that secure, ai-ready local server that provides digital forensics tools for analyzing logs, verifying file integrity, and generating audit-grade reports. It connects AI assistants to external tools and data sources through a standardized interface.

How do I install MCP Forensic Toolkit?

Follow the installation instructions on the MCP Forensic Toolkit GitHub repository. Clone the repo, install dependencies, and add the server config to your AI client.

Which AI clients work with MCP Forensic Toolkit?

MCP Forensic Toolkit works with all major MCP-compatible AI clients including Claude Desktop, Claude Code, Cursor, VS Code (GitHub Copilot), Windsurf, and Cline.

Is MCP Forensic Toolkit free to use?

Yes, MCP Forensic Toolkit is open source and available under the MIT license. You can use it freely in both personal and commercial projects.

MCP Forensic Toolkit Alternatives — Similar Security Servers

Looking for alternatives to MCP Forensic Toolkit? Here are other popular security servers you can use with Claude, Cursor, and VS Code.

Casdoor

13.6k

An open-source Agent-first Identity and Access Management (IAM) /LLM MCP & agent gateway and auth server with web UI supporting OpenClaw, MCP, OAuth, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, Google Workspace, Azure AD

ghidraMCP

9.0k

An Model Context Protocol server that enables LLMs to autonomously reverse engineer applications by exposing Ghidra's decompilation and analysis tools. It allows AI agents to list code structures, rename methods, and analyze binaries directly through

HexStrike AI

8.9k

HexStrike AI MCP Agents is an advanced MCP server that lets AI agents (Claude, GPT, Copilot, etc.) autonomously run 150+ cybersecurity tools for automated pentesting, vulnerability discovery, bug bounty automation, and security research. Seamlessly b

IDA Pro MCP

8.7k

Enables AI-assisted reverse engineering in IDA Pro by providing tools to analyze binaries, decompile functions, manage comments, search patterns, and interact with the IDA database through natural language.

Anthropic Cybersecurity Skills

6.6k

754 structured cybersecurity skills for AI agents · Mapped to 5 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND & NIST AI RMF · agentskills.io standard · Works with Claude Code, GitHub Copilot, Codex CLI, Cursor, Gemini CLI & 20+ platform

Hooker

5.1k

🔥🔥 hooker is a Frida-based reverse engineering toolkit for Android. It offers a user-friendly CLI, universal scripts, auto hook generation, memory roaming to detect activities/services, one-click SOCKS5 proxy setup, Frida JustTrustMe, and BoringSSL u

Browse More Security MCP Servers

Explore all security servers available in the MCPgee directory. Each server includes setup guides for Claude, Cursor, and VS Code.

Quick Config Preview

{ "mcpServers": { "mcp-forensic-toolkit": { "command": "npx", "args": ["-y", "mcp-forensic-toolkit"] } } }

Add this to your claude_desktop_config.json or .cursor/mcp.json

Read the full setup guide →

Ready to use MCP Forensic Toolkit?

Browse our complete directory of 33,000+ MCP servers, read setup guides for your editor, and start building with the Model Context Protocol.

33,000+ ServersFree & Open SourceStep-by-Step Guides