Mulder is an MCP server that exposes forensic tools like Volatility, Sleuthkit, Plaso, and more as typed tool calls. Every invocation is recorded in an append-only audit log. When an agent finds something, it submits a "finding" to the case database. Each finding must have evidence citations that are validated before being admitted. If the agent cites evidence or a tool execution that doesn't exist, the finding is dropped.
The biggest problem I needed to solve was context window pressure. These investigations often contain a lot of data, and processing it produces a lot of noise that will fill a context window quickly. To avoid this, all tool output is stored in a per-case SQLite database with full-text search. The agent can then search the database and request segments of tool output as much as it wants.
It ships as a container with all forensic binaries, symbol tables, YARA rules, MITRE ATT&CK data, and Claude Code pre-configured. You just have to mount your read-only evidence directory, start the container, and ask Claude to start an investigation.
I tested it against two test scenarios that I found online. Based on the ground truth I have been able to find, Mulder is producing pretty impressive results. I have provided the output from these runs in the examples in my repo.
If you know a lot about digital forensics or if it's something that interests you, please check it out. I'd appreciate any feedback.