I built Mulder for the SANS "FIND EVIL!" hackathon. My background is not in forensics, but I was interested in building the agent. I've been seeing some really cool results and thought this community might like it!

Mulder is an MCP server that exposes forensic tools like Volatility, Sleuthkit, Plaso, and more as typed tool calls. Every invocation is recorded in an append-only audit log. When an agent finds something, it submits a "finding" to the case database. Each finding must have evidence citations that are validated before being admitted. If the agent cites evidence or a tool execution that doesn't exist, the finding is dropped.

The biggest problem I needed to solve was context window pressure. These investigations often contain a lot of data, and processing it produces a lot of noise that will fill a context window quickly. To avoid this, all tool output is stored in a per-case SQLite database with full-text search. The agent can then search the database and request segments of tool output as much as it wants.

It ships as a container with all forensic binaries, symbol tables, YARA rules, MITRE ATT&CK data, and Claude Code pre-configured. You just have to mount your read-only evidence directory, start the container, and ask Claude to start an investigation.

I tested it against two test scenarios that I found online. Based on the ground truth I have been able to find, Mulder is producing pretty impressive results. I have provided the output from these runs in the examples in my repo.

If you know a lot about digital forensics or if it's something that interests you, please check it out. I'd appreciate any feedback.