Authors: Abdus Satter, Makei Salmon, Lara Muhanna, Trevor Spinosa, Taha Gharaibeh, Ibrahim Baggili
DFRWS USA 2026
Abstract
Large Language Model agents increasingly rely on the Model Context Protocol to invoke external tools for code execution, data access, and API interaction, expanding both automation capabilities and the forensic attack surface of modern AI-enabled systems. MCP interactions often occur within ephemeral runtimes where durable logs and network traces may be incomplete, unavailable, or deliberately removed, limiting post-incident visibility into agent behavior. In this paper, we present MCPRecon, a protocol-aware memory forensics framework for reconstructing MCP interaction traces from volatile memory. MCPRecon leverages the standardized JSON-RPC 2.0 message structure and MCP method semantics to identify, validate, and correlate MCP protocol artifacts directly from RAM, without relying on disk logs, network captures, or transport-specific instrumentation. Given a post-incident memory snapshot, MCPRecon recovers tool discovery results, invocation arguments, execution outcomes, and tool identifiers, and reconstructs request–response traces using JSON-RPC identifiers. We evaluate MCPRecon across multiple real-world MCP clients, deployment modes (stdio and HTTP), and scenarios, demonstrating that forensically relevant MCP artifacts persist in volatile memory and can be reliably reconstructed. Finally, we illustrate the forensic relevance of recovered artifacts through a proof-of-concept attack involving malicious MCP tool usage, showing how memory-resident protocol evidence enables attribution and post-incident analysis when traditional logs are absent.