winforensics-mcp
A comprehensive MCP server for Windows digital forensics on KALI Linux
Windows Forensics MCP Server
Windows DFIR from Linux - A comprehensive forensics toolkit designed entirely for Linux environments with zero Windows tool dependencies. Parse Windows artifacts natively using pure Python libraries.
Related Projects
- mem_forensics-mcp - Unified Memory Forensics MCP Server - Multi-tier engine combining Rust speed with Vol3 coverage
- mac_forensics-mcp - macOS DFIR - Unified Logs, FSEvents, Spotlight, Plists, SQLite databases, Extended Attributes
Features
Core Forensics
| Category | Capabilities |
|---|---|
| EVTX Logs | Parse Windows Event Logs with filtering, search, and pre-built security queries |
| Registry | Analyze SAM, SYSTEM, SOFTWARE, SECURITY, NTUSER.DAT hives |
| Remote Collection | Collect artifacts via WinRM (password or pass-the-hash) |
Execution Artifacts
| Category | Capabilities |
|---|---|
| PE Analysis | Static analysis with hashes (MD5/SHA1/SHA256/imphash), imports, exports, packer detection |
| Prefetch | Execution evidence with run counts, timestamps, loaded files |
| Amcache | SHA1 hashes and first-seen timestamps from Amcache.hve |
| SRUM | Application resource usage, CPU time, network activity from SRUDB.dat |
File System Artifacts
| Category | Capabilities |
|---|---|
| MFT | Master File Table parsing with timestomping detection |
| USN Journal | Change journal for file operations and deleted file recovery |
| Timeline | Unified timeline from MFT, USN, Prefetch, Amcache, EVTX |
User Activity
| Category | Capabilities |
|---|---|
| Browser | Edge, Chrome, Firefox history and downloads |
| LNK Files | Windows shortcut analysis for recently accessed files |
| ShellBags | Folder navigation history with suspicious path detection |
| RecentDocs | Registry-based recent document tracking |
Network Forensics
| Category | Capabilities |
|---|---|
| PCAP Analysis | Parse PCAP/PCAPNG files - conversations, DNS queries, HTTP requests, suspicious connections |
API Monitor Capture Analysis
| Category | Capabilities |
|---|---|
| APMX Parsing | Parse API Monitor captures (.apmx64/.apmx86) - process metadata, API call extraction, parameter values |
| Pattern Detection | Detect injection, hollowing, credential dumping, and other attack patterns from captured API call sequences with MITRE ATT&CK mapping |
| Handle Correlation | Track handle values across calls to reconstruct attack chains (OpenProcess -> VirtualAllocEx -> WriteProcessMemory -> CreateRemoteThread) |
| Injection Analysis | Extract enriched injection chain details: target PID/process, shellcode size, allocation addresses, technique classification |
| API Knowledge Base | 26,944 Windows API definitions with parameter signatures, DLL mappings, and category browsing |
Malware Detection
| Category | Capabilities |
|---|---|
| YARA Scanning | 718 rules from signature-base - APT, ransomware, webshells, hacktools |
| VirusTotal | Hash/IP/domain reputation lookups with caching and rate limiting (free tier supported) |
| DiE Integration | Detect packers (UPX, Themida, VMProtect), compilers, .NET, installers via Detect It Easy |
Orchestrators
| Tool | What It Does |
|---|---|
investigate_execution | Correlates Prefetch + Amcache + SRUM to answer "Was this binary executed?" |
investigate_user_activity | Correlates Browser + ShellBags + LNK + RecentDocs for user activity timeline |
hunt_ioc | Searches for IOC (hash/filename/IP/domain) across ALL artifact sources + optional YARA scanning |
build_timeline | Builds unified forensic timeline from multiple sources |
Utilities
| Tool | What It Does |
|---|---|
ingest_parsed_csv | Import Eric Zimmerman tool CSV output (MFTECmd, PECmd, AmcacheParser) |
Installation
Prerequisites
# Install uv (fast Python package manager)
curl -LsSf https://astral.sh/uv/install.sh | sh
source ~/.bashrc
# Ensure Python 3.10+
python3 --version
Install from PyPI
uv tool install winforensics-mcp
Install from source
git clone https://github.com/x746b/winforensics-mcp.git
cd winforensics-mcp
# Install with uv (recommended)
uv sync
# Or install with all optional extras
uv venv && source .venv/bin/activate
uv pip install -e ".[all]"
Verify
uv run python -m winforensics_mcp.server
# Should start without errors (Ctrl+C to exit)
Adding to Claude CLI
Installed from PyPI
claude mcp add winforensics-mcp --scope user -- uv run winforensics-mcp
Installed from sources
claude mcp add winforensics-mcp \
--scope user \
-- uv run --directory /path/to/winforensics-mcp python -m winforensics_mcp.server
Verify:
claude mcp list
# Should show winforensics-mcp
LLM Integration (CLAUDE.md)
For AI-assisted forensic analysis, include CLAUDE.md in your case directory. It provides:
- Orchestrator-first guidance - Ensures LLMs use high-level tools before low-level parsers
- Token efficiency - Reduces API costs by 50%+ through proper tool selection
- Investigation workflow - Step-by-step methodology for consistent analysis
Usage
Copy CLAUDE.md to your case directory:
cp /path/to/winforensics-mcp/CLAUDE.md /your/case/directory/
# Edit paths in CLAUDE.md to match your case
The LLM will automatically follow the orchestrator-first approach:
| Question | Orchestrator Used |
|---|---|
| "Was malware.exe executed?" | investigate_execution |
| "What did the user do?" | investigate_user_activity |
| "Find this hash everywhere" | hunt_ioc |
| "Build incident timeline" | build_timeline |
Quick Start Examples
Was This Binary Executed?
Investigate if mimikatz.exe was executed on the system at /mnt/evidence
The investigate_execution orchestrator checks Prefetch, Amcache, and SRUM:
{
"target": "mimikatz.exe",
"execution_confirmed": true,
"confidence": "HIGH",
"evidence": [
{"source": "Prefetch", "finding": "Executed 3 times, last at 2024-03-15T14:23:45Z"},
{"source": "Amcache", "finding": "SHA1: abc123..., First seen: 2024-03-14T09:00:00Z"},
{"source": "SRUM", "finding": "Network: 15.2 MB sent; Foreground: 47 seconds"}
]
}
Hunt for IOC Across All Artifacts
Hunt for the hash 204bc44c651e17f65c95314e0b6dfee586b72089 in /mnt/evidence
The hunt_ioc tool searches Prefetch, Amcache, SRUM, MFT, USN, Browser, EVTX, and optionally YARA:
{
"ioc": "204bc44c651e17f65c95314e0b6dfee586b72089",
"ioc_type": "sha1",
"found": true,
"sources_with_hits": ["Amcache", "MFT"],
"findings": [
{"source": "Amcache", "matches": 1, "details": "bloodhound.exe"},
{"source": "MFT", "matches": 1, "details": "Users\\Admin\\Downloads\\bloodhound.exe"}
]
}
Tool Reference
Orchestrators (High-Level Investigation)
| Tool | Description |
|---|---|
investigate_execution | Correlate Prefetch/Amcache/SRUM to prove binary execution |
investigate_user_activity | Correlate Browser/ShellBags/LNK/RecentDocs for user activity |
hunt_ioc | Hunt IOC (hash/filename/IP/domain) across all artifacts; yara_scan=True adds YARA threat intel |
build_timeline | Build unified timeline from multiple artifact sources |
Execution Artifacts
| Tool | Description |
|---|---|
file_analyze_pe | Static PE analysis - hashes, imports, exports, packer detection |
disk_parse_prefetch | Parse Prefetch for execution evidence |
disk_parse_amcache | Parse Amcache.hve for SHA1 hashes and timestamps |
disk_parse_srum | Parse SRUDB.dat for app resource and network usage |
Malware Detection (YARA)
| Tool | Description |
|---|---|
yara_scan_file | Scan file with 718 YARA rules (Mimikatz, CobaltStrike, webshells, APT, ransomware) |
yara_scan_directory | Batch scan directory for malware |
yara_list_rules | List available/bundled YARA rules |
Threat Intelligence (VirusTotal)
| Tool | Description |
|---|---|
vt_lookup_hash | Look up file hash (MD5/SHA1/SHA256) on VirusTotal |
vt_lookup_ip | Get IP address reputation and geolocation |
vt_lookup_domain | Get domain reputation and categorization |
vt_lookup_file | Calculate file hashes and look up on VirusTotal |
Network Forensics (PCAP)
| Tool | Description |
|---|---|
pcap_get_stats | Get PCAP statistics - packet counts, protocols, top talkers |
pcap_get_conversations | Extract TCP/UDP conversations with byte counts |
pcap_get_dns | Extract DNS queries and responses |
pcap_get_http | Extract HTTP requests with URLs, methods, user-agents |
pcap_search | Search packet payloads for strings or regex patterns |
pcap_find_suspicious | Detect C2 indicators, beaconing, DNS tunneling |
API Monitor Capture Analysis (APMX)
| Tool | Description |
|---|---|
apmx_parse | Parse .apmx64/.apmx86 capture - process info, modules, call counts |
apmx_get_calls | Extract API calls with filtering, pagination, and time range support |
apmx_get_call_details | Detailed records with parameter values, return values, timestamps |
apmx_detect_patterns | Detect attack patterns (injection, hollowing, credential dumping) with MITRE ATT&CK IDs |
apmx_correlate_handles | Track handle producer/consumer chains across API calls |
apmx_get_injection_info | Enriched injection chain extraction (target PID, shellcode size, technique) |
apmx_get_calls_around | Context window of calls around a specific record |
apmx_search_params | Search all records for a specific parameter value |
api_analyze_imports | Full PE import analysis with pattern detection and MITRE ATT&CK mapping |
api_detect_patterns | Detect attack patterns from PE import tables |
api_lookup | Look up Windows API signature (26,944 APIs with params, DLL, category) |
api_search_category | Browse APIs by category (e.g., "Process Injection", "File Management") |
Packer Detection (DiE)
| Tool | Description |
|---|---|
die_analyze_file | Analyze file for packers, compilers, protectors, .NET |
die_scan_directory | Batch scan directory for packed executables |
die_get_packer_info | Get info about packer (difficulty, unpack tools) |
File System
| Tool | Description |
|---|---|
disk_parse_mft | Parse $MFT with timestomping detection |
disk_parse_usn_journal | Parse $J for file operations and deleted files |
User Activity
| Tool | Description |
|---|---|
browser_get_history | Parse Edge/Chrome/Firefox history and downloads |
user_parse_lnk_files | Parse Windows shortcuts for target paths |
user_parse_shellbags | Parse ShellBags for folder navigation history |
Event Logs
| Tool | Description |
|---|---|
evtx_list_files | List EVTX files in a directory |
evtx_get_stats | Get event counts, time range, Event ID distribution |
evtx_search | Search with filters (time, Event ID, keywords) |
evtx_security_search | Pre-built security event searches (logon, process creation, etc.) |
evtx_attack_summary | Compact TSV summary for rapid triage - one line per event, attack-relevant columns only |
evtx_explain_event_id | Get Event ID description |
Registry
| Tool | Description |
|---|---|
registry_get_key | Get specific key and values |
registry_search | Search values by pattern |
registry_get_persistence | Get Run keys and services |
registry_get_users | Get user accounts from SAM |
registry_get_usb_history | Get USB device history |
registry_get_system_info | Get OS version, hostname, timezone |
registry_get_network | Get network configuration |
Utilities
| Tool | Description |
|---|---|
ingest_parsed_csv | Import Eric Zimmerman CSV output (MFTECmd, PECmd, AmcacheParser, SrumECmd) |
forensics_list_important_events | List important Event IDs by channel |
forensics_list_registry_keys | List forensic registry keys by category |
Remote Collection
| Tool | Description |
|---|---|
remote_collect_artifacts | Collect artifacts via WinRM (password or pass-the-hash) |
remote_get_system_info | Get remote system info |
Configuration
VirusTotal API Key
# Option 1: Environment variable
export VIRUSTOTAL_API_KEY="your-api-key-here"
# Option 2: Config file
mkdir -p ~/.config/winforensics-mcp
echo "your-api-key-here" > ~/.config/winforensics-mcp/vt_api_key
Get your free API key at virustotal.com. Free tier is rate-limited to 4 requests/minute; the client handles rate limiting and caches results for 24 hours.
Troubleshooting
DiE (Detect It Easy) not found
# Debian/Ubuntu
sudo apt install detect-it-easy
# Or download from https://github.com/horsicq/DIE-engine/releases
Remove MCP Server
claude mcp remove winforensics-mcp --scope user
License
Credits: Rohitab Batra (API Monitor), Neo23x0/signature-base (YARA rules), horsicq/DIE-engine (Detect It Easy)
MIT License | xtk | Built for the DFIR community. No Windows required >)
Related Servers
Airplane.Live MCP Server
MCP server that connects to the Airplanes.live API to provide real-time flight and aircraft data for analysis or visualization.
Kai AGI
Autonomous AI agent running 24/7 — predictions with calibration, AI research briefs, live system status, web search proxy
SwitchBot MCP Server
Control SwitchBot devices interactively using the SwitchBot API.
Crypto Trader
Provides real-time cryptocurrency market data using the CoinGecko API.
MCP Minecraft Remote
Remotely control a Minecraft Java Edition server using the Model Context Protocol (MCP).
Image Generator
Image generation and editing with advanced features like multi-image blending and character consistency
MCP Cat Language Server
A server that translates Chinese text into cute cat language expressions.
PoshMCP
Expose explicitly whitelisted PowerShell commandlets as a MCP Tool
Fibrous MCP Server
A server for Fibrous Finance, a DeFi aggregation platform.
Brick Directory
MCP that knows everything about LEGO sets, parts, minifigures, and pricing. Help you manage your collections across popular sites such as Rebrickable and BrickEconomy