Inspiration
LLMs are useful at summarizing messy evidence, but raw PCAPs containing malware artifacts should not be uploaded blindly to a provider. I wanted a DFIR assistant that keeps evidence on SIFT, extracts bounded observations with local tools, and lets an analyst review a validated report instead of trusting an LLM model.
What it does
EvidenceLoop analyzes packet-capture evidence from a local evidence folder, builds bounded observations, creates LLM-safe JSON packets, optionally asks a provider for network triage and case summary, validates the response, and shows the result in an analyst UI.
For the primary demo case, it identifies likely STRRAT-style command-and-control activity.
How I built it
The agent runs on SIFT and uses typed local tools around tshark and local parsers. Raw PCAPs stay outside provider requests. The agent writes bounded observations, LLM packets, validation results, execution logs, trace files, and chain-of-custody hashes.
The frontend, EvidenceLoop, is a React UI for reviewing run history, findings, evidence, network triage, follow-up gaps, workflow trace, and summary LLM output. I also used Codex heavily as a coding partner to build, test, critique, and polish the system, while keeping the evidence handling and scoring decisions explicit.
Challenges
The hardest part was avoiding false confidence. Some provider answers looked fluent but undercalled or overcalled the evidence. EvidenceLoop handles this with validation, evidence-gap checks, provider attempt logging, fallback behavior, and human review markers when verdicts and phases disagree.
What I learned
The useful pattern is not "LLM over raw evidence." It is local extraction, bounded packets, provider isolation, validation, and analyst review. The model can help, but only after the system controls what it can see and checks what it says.
What's next
Next steps are broader artifact support, more holdout cases, stronger endpoint-correlation workflows, and a configurable analyst-question interface that still preserves the same evidence boundaries and validation gates.
Built With
- fastapi
- google-gemini-api
- javascript
- obs
- openai-api
- python-3.12
- react
- sans-sift-workstation
- sqlite
- tshark/wireshark
- vite
Log in or sign up for Devpost to join the conversation.