SIFT – FIND EVIL!! I Gave Claude Code R00t on the DFIR SIFT Workstation
Rob T. Lee
[un]prompted 2026 — AI Security Practitioner Conference · Day 1 · 2
Rob Lee, creator of the SIFT Workstation, gave Claude Code root access on a DFIR forensics environment and told it to "find evil." The result: a full forensic analysis that previously took human analysts two to three days compressed to 14 minutes and 27 seconds, with 100% accuracy on a system Lee had personally compromised. He used the talk to announce a SANS community hackathon with $22,000 in prizes aimed at turning a proof of concept into an enterprise-grade defensive capability. ---
AI review
Rob Lee gave Claude Code root on a DFIR workstation, said 'find evil,' and got a 100%-accurate forensic report in 14 minutes and 27 seconds — versus two to three days of human analyst work. The CLAUDE.md skills architecture is clever, the demo was real, and the $22K hackathon is a genuine community call to arms. This is what tool-building talks should look like.