winforensics-mcp
A comprehensive MCP server for Windows digital forensics on KALI Linux
Windows Forensics MCP Server
Windows DFIR from Linux - A comprehensive forensics toolkit designed entirely for Linux environments with zero Windows tool dependencies. Parse Windows artifacts natively using pure Python libraries.
Related Projects
- mem_forensics-mcp - Unified Memory Forensics MCP Server - Multi-tier engine combining Rust speed with Vol3 coverage
- mac_forensics-mcp - macOS DFIR - Unified Logs, FSEvents, Spotlight, Plists, SQLite databases, Extended Attributes
Features
Core Forensics
| Category | Capabilities |
|---|---|
| EVTX Logs | Parse Windows Event Logs with filtering, search, and pre-built security queries |
| Registry | Analyze SAM, SYSTEM, SOFTWARE, SECURITY, NTUSER.DAT hives |
| Remote Collection | Collect artifacts via WinRM (password or pass-the-hash) |
Execution Artifacts
| Category | Capabilities |
|---|---|
| PE Analysis | Static analysis with hashes (MD5/SHA1/SHA256/imphash), imports, exports, packer detection |
| Prefetch | Execution evidence with run counts, timestamps, loaded files |
| Amcache | SHA1 hashes and first-seen timestamps from Amcache.hve |
| SRUM | Application resource usage, CPU time, network activity from SRUDB.dat |
File System Artifacts
| Category | Capabilities |
|---|---|
| MFT | Master File Table parsing with timestomping detection |
| USN Journal | Change journal for file operations and deleted file recovery |
| Timeline | Unified timeline from MFT, USN, Prefetch, Amcache, EVTX |
User Activity
| Category | Capabilities |
|---|---|
| Browser | Edge, Chrome, Firefox history and downloads |
| LNK Files | Windows shortcut analysis for recently accessed files |
| ShellBags | Folder navigation history with suspicious path detection |
| RecentDocs | Registry-based recent document tracking |
Network Forensics
| Category | Capabilities |
|---|---|
| PCAP Analysis | Parse PCAP/PCAPNG files - conversations, DNS queries, HTTP requests, suspicious connections |
API Monitor Capture Analysis
| Category | Capabilities |
|---|---|
| APMX Parsing | Parse API Monitor captures (.apmx64/.apmx86) - process metadata, API call extraction, parameter values |
| Pattern Detection | Detect injection, hollowing, credential dumping, and other attack patterns from captured API call sequences with MITRE ATT&CK mapping |
| Handle Correlation | Track handle values across calls to reconstruct attack chains (OpenProcess -> VirtualAllocEx -> WriteProcessMemory -> CreateRemoteThread) |
| Injection Analysis | Extract enriched injection chain details: target PID/process, shellcode size, allocation addresses, technique classification |
| API Knowledge Base | 26,944 Windows API definitions with parameter signatures, DLL mappings, and category browsing |
Malware Detection
| Category | Capabilities |
|---|---|
| YARA Scanning | 718 rules from signature-base - APT, ransomware, webshells, hacktools |
| VirusTotal | Hash/IP/domain reputation lookups with caching and rate limiting (free tier supported) |
| DiE Integration | Detect packers (UPX, Themida, VMProtect), compilers, .NET, installers via Detect It Easy |
Orchestrators
| Tool | What It Does |
|---|---|
investigate_execution | Correlates Prefetch + Amcache + SRUM to answer "Was this binary executed?" |
investigate_user_activity | Correlates Browser + ShellBags + LNK + RecentDocs for user activity timeline |
hunt_ioc | Searches for IOC (hash/filename/IP/domain) across ALL artifact sources + optional YARA scanning |
build_timeline | Builds unified forensic timeline from multiple sources |
Utilities
| Tool | What It Does |
|---|---|
ingest_parsed_csv | Import Eric Zimmerman tool CSV output (MFTECmd, PECmd, AmcacheParser) |
Installation
Prerequisites
# Install uv (fast Python package manager)
curl -LsSf https://astral.sh/uv/install.sh | sh
source ~/.bashrc
# Ensure Python 3.10+
python3 --version
Install from PyPI
uv tool install winforensics-mcp
Install from source
git clone https://github.com/x746b/winforensics-mcp.git
cd winforensics-mcp
# Install with uv (recommended)
uv sync
# Or install with all optional extras
uv venv && source .venv/bin/activate
uv pip install -e ".[all]"
Verify
uv run python -m winforensics_mcp.server
# Should start without errors (Ctrl+C to exit)
Adding to Claude CLI
Installed from PyPI
claude mcp add winforensics-mcp --scope user -- uv run winforensics-mcp
Installed from sources
claude mcp add winforensics-mcp \
--scope user \
-- uv run --directory /path/to/winforensics-mcp python -m winforensics_mcp.server
Verify:
claude mcp list
# Should show winforensics-mcp
LLM Integration (CLAUDE.md)
For AI-assisted forensic analysis, include CLAUDE.md in your case directory. It provides:
- Orchestrator-first guidance - Ensures LLMs use high-level tools before low-level parsers
- Token efficiency - Reduces API costs by 50%+ through proper tool selection
- Investigation workflow - Step-by-step methodology for consistent analysis
Usage
Copy CLAUDE.md to your case directory:
cp /path/to/winforensics-mcp/CLAUDE.md /your/case/directory/
# Edit paths in CLAUDE.md to match your case
The LLM will automatically follow the orchestrator-first approach:
| Question | Orchestrator Used |
|---|---|
| "Was malware.exe executed?" | investigate_execution |
| "What did the user do?" | investigate_user_activity |
| "Find this hash everywhere" | hunt_ioc |
| "Build incident timeline" | build_timeline |
Quick Start Examples
Was This Binary Executed?
Investigate if mimikatz.exe was executed on the system at /mnt/evidence
The investigate_execution orchestrator checks Prefetch, Amcache, and SRUM:
{
"target": "mimikatz.exe",
"execution_confirmed": true,
"confidence": "HIGH",
"evidence": [
{"source": "Prefetch", "finding": "Executed 3 times, last at 2024-03-15T14:23:45Z"},
{"source": "Amcache", "finding": "SHA1: abc123..., First seen: 2024-03-14T09:00:00Z"},
{"source": "SRUM", "finding": "Network: 15.2 MB sent; Foreground: 47 seconds"}
]
}
Hunt for IOC Across All Artifacts
Hunt for the hash 204bc44c651e17f65c95314e0b6dfee586b72089 in /mnt/evidence
The hunt_ioc tool searches Prefetch, Amcache, SRUM, MFT, USN, Browser, EVTX, and optionally YARA:
{
"ioc": "204bc44c651e17f65c95314e0b6dfee586b72089",
"ioc_type": "sha1",
"found": true,
"sources_with_hits": ["Amcache", "MFT"],
"findings": [
{"source": "Amcache", "matches": 1, "details": "bloodhound.exe"},
{"source": "MFT", "matches": 1, "details": "Users\\Admin\\Downloads\\bloodhound.exe"}
]
}
Tool Reference
Orchestrators (High-Level Investigation)
| Tool | Description |
|---|---|
investigate_execution | Correlate Prefetch/Amcache/SRUM to prove binary execution |
investigate_user_activity | Correlate Browser/ShellBags/LNK/RecentDocs for user activity |
hunt_ioc | Hunt IOC (hash/filename/IP/domain) across all artifacts; yara_scan=True adds YARA threat intel |
build_timeline | Build unified timeline from multiple artifact sources |
Execution Artifacts
| Tool | Description |
|---|---|
file_analyze_pe | Static PE analysis - hashes, imports, exports, packer detection |
disk_parse_prefetch | Parse Prefetch for execution evidence |
disk_parse_amcache | Parse Amcache.hve for SHA1 hashes and timestamps |
disk_parse_srum | Parse SRUDB.dat for app resource and network usage |
Malware Detection (YARA)
| Tool | Description |
|---|---|
yara_scan_file | Scan file with 718 YARA rules (Mimikatz, CobaltStrike, webshells, APT, ransomware) |
yara_scan_directory | Batch scan directory for malware |
yara_list_rules | List available/bundled YARA rules |
Threat Intelligence (VirusTotal)
| Tool | Description |
|---|---|
vt_lookup_hash | Look up file hash (MD5/SHA1/SHA256) on VirusTotal |
vt_lookup_ip | Get IP address reputation and geolocation |
vt_lookup_domain | Get domain reputation and categorization |
vt_lookup_file | Calculate file hashes and look up on VirusTotal |
Network Forensics (PCAP)
| Tool | Description |
|---|---|
pcap_get_stats | Get PCAP statistics - packet counts, protocols, top talkers |
pcap_get_conversations | Extract TCP/UDP conversations with byte counts |
pcap_get_dns | Extract DNS queries and responses |
pcap_get_http | Extract HTTP requests with URLs, methods, user-agents |
pcap_search | Search packet payloads for strings or regex patterns |
pcap_find_suspicious | Detect C2 indicators, beaconing, DNS tunneling |
API Monitor Capture Analysis (APMX)
| Tool | Description |
|---|---|
apmx_parse | Parse .apmx64/.apmx86 capture - process info, modules, call counts |
apmx_get_calls | Extract API calls with filtering, pagination, and time range support |
apmx_get_call_details | Detailed records with parameter values, return values, timestamps |
apmx_detect_patterns | Detect attack patterns (injection, hollowing, credential dumping) with MITRE ATT&CK IDs |
apmx_correlate_handles | Track handle producer/consumer chains across API calls |
apmx_get_injection_info | Enriched injection chain extraction (target PID, shellcode size, technique) |
apmx_get_calls_around | Context window of calls around a specific record |
apmx_search_params | Search all records for a specific parameter value |
api_analyze_imports | Full PE import analysis with pattern detection and MITRE ATT&CK mapping |
api_detect_patterns | Detect attack patterns from PE import tables |
api_lookup | Look up Windows API signature (26,944 APIs with params, DLL, category) |
api_search_category | Browse APIs by category (e.g., "Process Injection", "File Management") |
Packer Detection (DiE)
| Tool | Description |
|---|---|
die_analyze_file | Analyze file for packers, compilers, protectors, .NET |
die_scan_directory | Batch scan directory for packed executables |
die_get_packer_info | Get info about packer (difficulty, unpack tools) |
File System
| Tool | Description |
|---|---|
disk_parse_mft | Parse $MFT with timestomping detection |
disk_parse_usn_journal | Parse $J for file operations and deleted files |
User Activity
| Tool | Description |
|---|---|
browser_get_history | Parse Edge/Chrome/Firefox history and downloads |
user_parse_lnk_files | Parse Windows shortcuts for target paths |
user_parse_shellbags | Parse ShellBags for folder navigation history |
Event Logs
| Tool | Description |
|---|---|
evtx_list_files | List EVTX files in a directory |
evtx_get_stats | Get event counts, time range, Event ID distribution |
evtx_search | Search with filters (time, Event ID, keywords) |
evtx_security_search | Pre-built security event searches (logon, process creation, etc.) |
evtx_attack_summary | Compact TSV summary for rapid triage - one line per event, attack-relevant columns only |
evtx_explain_event_id | Get Event ID description |
Registry
| Tool | Description |
|---|---|
registry_get_key | Get specific key and values |
registry_search | Search values by pattern |
registry_get_persistence | Get Run keys and services |
registry_get_users | Get user accounts from SAM |
registry_get_usb_history | Get USB device history |
registry_get_system_info | Get OS version, hostname, timezone |
registry_get_network | Get network configuration |
Utilities
| Tool | Description |
|---|---|
ingest_parsed_csv | Import Eric Zimmerman CSV output (MFTECmd, PECmd, AmcacheParser, SrumECmd) |
forensics_list_important_events | List important Event IDs by channel |
forensics_list_registry_keys | List forensic registry keys by category |
Remote Collection
| Tool | Description |
|---|---|
remote_collect_artifacts | Collect artifacts via WinRM (password or pass-the-hash) |
remote_get_system_info | Get remote system info |
Configuration
VirusTotal API Key
# Option 1: Environment variable
export VIRUSTOTAL_API_KEY="your-api-key-here"
# Option 2: Config file
mkdir -p ~/.config/winforensics-mcp
echo "your-api-key-here" > ~/.config/winforensics-mcp/vt_api_key
Get your free API key at virustotal.com. Free tier is rate-limited to 4 requests/minute; the client handles rate limiting and caches results for 24 hours.
Troubleshooting
DiE (Detect It Easy) not found
# Debian/Ubuntu
sudo apt install detect-it-easy
# Or download from https://github.com/horsicq/DIE-engine/releases
Remove MCP Server
claude mcp remove winforensics-mcp --scope user
License
Credits: omerbenamram/evtx (Rust EVTX parser), Rohitab Batra (API Monitor), Neo23x0/signature-base (YARA rules), horsicq/DIE-engine (Detect It Easy)
MIT License | xtk | Built for the DFIR community. No Windows required >)
関連サーバー
Sweeppea MCP
Manage sweepstakes, participants, and winner drawings with legal compliance in the US and Canada directly from your AI agent. Access requires an active Sweeppea subscription and API Key.
Trayd
Trade Robinhood with natural language in Claude Code
Trade Agent
Execute stock and crypto trades via Trade Agent
Actiongate
Pre-execution safety layer for autonomous agent wallets — risk scoring, simulation, and policy enforcement via MCP, with free tier and pay-per-call pricing over x402
CarAPI.dev
Remote MCP server giving AI agents instant access to comprehensive vehicle data: VIN decoding, license-plate lookup, stolen-vehicle checks, mileage history, inspection records, photos, and market valuations across 24 markets. Connect with a single Authorization: Bearer API key from any MCP client (Claude Desktop, Claude Code, Cursor, ChatGPT, Cline, Zed). Stateless and hosted at https://mcp.carapi.dev/mcp — no setup, no session management, just plug in your key and start querying. Includes a free carapi_docs tool for searching CarAPI documentation without authentication.
Neume
Make songs with AI
recon-crypto-mcp
MCP server for AI agents to manage a self-custodial crypto portfolio (Aave, Compound, Morpho, Uniswap V3, Lido, EigenLayer) on Ethereum/Arbitrum/Polygon via Ledger + WalletConnect. Private keys never leave the device.
trainedby.ai
Connect wearables to ChatGPT, so your AI coach knows you without typing a word
PreReason
Market briefings for AI agents with trend signals, regime classification, and confidence scores across Bitcoin, macro, FX, and cross-asset data.
Pi-hole
Manage your Pi-hole v6 instance with 55 tools covering DNS blocking, domain management, query analysis, statistics, DHCP, and system administration.