Winforensics MCP

The Windows Forensics MCP Server is a comprehensive digital forensics toolkit designed specifically for Linux environments. It uses pure Python libraries to natively parse traces from Windows systems without relying on Windows tools. It provides functions such as EVTX log analysis, registry analysis, execution trace analysis, filesystem forensics, user activity analysis, network forensics, malware detection, and API monitoring capture analysis, and supports remote collection and high - level investigation coordinators.

Security Developer tools #Windows Forensics #Linux Toolkit #Digital Investigation #Malware Analysis .Python

rating : 2.5 points

downloads : 3.4K

update time : 2026-03-13

Open Site

What is Windows Forensics MCP Server?

Windows Forensics MCP Server is a Windows digital forensics and incident response toolkit designed specifically for Linux environments. It allows investigators to directly analyze and parse forensic data from Windows systems on Linux systems without installing any Windows tools or dependencies. This tool is implemented using pure Python libraries and can handle various Windows forensic artifacts, such as event logs, registry, execution traces, user activities, etc.

How to use Windows Forensics MCP Server?

This tool runs as an MCP server and can be interacted with through AI assistants such as Claude. You can mount a Windows forensic image to a Linux system and then use this tool to analyze the data within it. The tool provides an advanced investigation coordinator that can automatically correlate multiple data sources to answer complex investigation questions.

Applicable Scenarios

It is applicable to scenarios such as network security incident response, digital forensics investigations, malware analysis, and internal threat investigations. It is particularly suitable for investigators who need to analyze evidence from Windows systems in a Linux environment.

Main Features

Core Forensic Functions

Parse Windows event logs (EVTX), registry (SAM, SYSTEM, SOFTWARE, etc.), and support remote evidence collection via WinRM.

Execution Trace Analysis

Analyze PE files, Prefetch execution evidence, Amcache hash records, and SRUM application resource usage data.

Filesystem Forensics

Parse the MFT master file table, USN change log, and build a unified timeline.

User Activity Analysis

Analyze browser history, LNK shortcuts, ShellBags folder navigation history, and RecentDocs recent document records.

Network Forensics

Parse PCAP/PCAPNG network capture files and analyze network sessions, DNS queries, and HTTP requests.

API Monitoring Analysis

Parse API Monitor capture files, detect attack patterns such as process injection and credential dumping, and contain 26,944 Windows API definitions.

Malware Detection

Use 718 YARA rules to detect threats such as APT, ransomware, and Webshell, integrate VirusTotal threat intelligence, and perform Detect It Easy packing detection.

Investigation Orchestrators

Advanced tools automatically correlate multiple data sources: investigate_execution, investigate_user_activity, hunt_ioc, build_timeline.

Advantages

Runs in a pure Linux environment without relying on Windows tools

Implemented using pure Python, easy to deploy and maintain

Provides an advanced investigation coordinator to automatically correlate multiple data sources

Integrates multiple threat intelligence sources (YARA, VirusTotal)

Supports remote evidence collection (via WinRM)

Contains rich API monitoring and analysis capabilities

Limitations

Requires basic knowledge of the Linux command line

Some functions require external tools (such as Detect It Easy)

The free version of VirusTotal has API call limitations

Requires mounting Windows evidence to a Linux system

How to Use

Install the Tool

Install Windows Forensics MCP Server using the uv package manager.

Add to Claude CLI

Add the MCP server to the Claude command - line interface.

Prepare Forensic Data

Mount a Windows forensic image to a Linux system, for example, mount it to the /mnt/evidence directory.

Start the Investigation

Interact with the MCP server through Claude and use the advanced coordinator for the investigation.

Usage Examples

Example 1: Investigate the Execution of a Suspicious Binary File

Investigate whether mimikatz.exe has been executed on the infected system.

Example 2: Search for Threat Indicators

Search for a specific SHA1 hash value in all forensic artifacts.

Example 3: Analyze User Activity

Investigate the activities of a specific user on the system.

Example 4: Analyze Network Captures

Analyze suspicious network activities in a PCAP file.

Frequently Asked Questions

Do I need a Windows license to use this tool?

How can I obtain a VirusTotal API key?

What is Detect It Easy? How to install it?

Which Windows versions does the tool support?

How to import the output of Eric Zimmerman tools?

Related Resources

GitHub Repository

Source code and documentation for Windows Forensics MCP Server

Memory Forensics MCP Server

Unified memory forensics MCP server that combines the speed of Rust and the coverage of Vol3

macOS Forensics MCP Server

macOS digital forensics and incident response tool

API Monitor

Windows API monitoring tool for capturing API calls

signature - base YARA Rules

A library of 718 YARA rules including APT, ransomware, and Webshell

Detect It Easy Engine

Packing detection and file analysis tool

🚀 Windows Forensics MCP Server

Windows DFIR from Linux - A comprehensive forensics toolkit designed entirely for Linux environments with zero Windows tool dependencies. Parse Windows artifacts natively using pure Python libraries.

🚀 Quick Start

The Windows Forensics MCP Server is a powerful forensics toolkit for Linux. It allows you to perform in - depth analysis of Windows artifacts without relying on Windows tools.

✨ Features

Core Forensics

Property	Details
EVTX Logs	Parse Windows Event Logs with filtering, search, and pre - built security queries
Registry	Analyze SAM, SYSTEM, SOFTWARE, SECURITY, NTUSER.DAT hives
Remote Collection	Collect artifacts via WinRM (password or pass - the - hash)

Execution Artifacts

Property	Details
PE Analysis	Static analysis with hashes (MD5/SHA1/SHA256/imphash), imports, exports, packer detection
Prefetch	Execution evidence with run counts, timestamps, loaded files
Amcache	SHA1 hashes and first - seen timestamps from Amcache.hve
SRUM	Application resource usage, CPU time, network activity from SRUDB.dat

File System Artifacts

Property	Details
MFT	Master File Table parsing with timestomping detection
USN Journal	Change journal for file operations and deleted file recovery
Timeline	Unified timeline from MFT, USN, Prefetch, Amcache, EVTX

User Activity

Property	Details
Browser	Edge, Chrome, Firefox history and downloads
LNK Files	Windows shortcut analysis for recently accessed files
ShellBags	Folder navigation history with suspicious path detection
RecentDocs	Registry - based recent document tracking

Network Forensics

Property	Details
PCAP Analysis	Parse PCAP/PCAPNG files - conversations, DNS queries, HTTP requests, suspicious connections

API Monitor Capture Analysis

Property	Details
APMX Parsing	Parse API Monitor captures (.apmx64/.apmx86) - process metadata, API call extraction, parameter values
Pattern Detection	Detect injection, hollowing, credential dumping, and other attack patterns from captured API call sequences with MITRE ATT&CK mapping
Handle Correlation	Track handle values across calls to reconstruct attack chains (OpenProcess -> VirtualAllocEx -> WriteProcessMemory -> CreateRemoteThread)
Injection Analysis	Extract enriched injection chain details: target PID/process, shellcode size, allocation addresses, technique classification
API Knowledge Base	26,944 Windows API definitions with parameter signatures, DLL mappings, and category browsing

Malware Detection

Property	Details
YARA Scanning	718 rules from [signature - base](https://github.com/Neo23x0/signature - base) - APT, ransomware, webshells, hacktools
VirusTotal	Hash/IP/domain reputation lookups with caching and rate limiting (free tier supported)
DiE Integration	Detect packers (UPX, Themida, VMProtect), compilers, .NET, installers via Detect It Easy

Orchestrators

Tool	What It Does
`investigate_execution`	Correlates Prefetch + Amcache + SRUM to answer "Was this binary executed?"
`investigate_user_activity`	Correlates Browser + ShellBags + LNK + RecentDocs for user activity timeline
`hunt_ioc`	Searches for IOC (hash/filename/IP/domain) across ALL artifact sources + optional YARA scanning
`build_timeline`	Builds unified forensic timeline from multiple sources

Utilities

Tool	What It Does
`ingest_parsed_csv`	Import Eric Zimmerman tool CSV output (MFTECmd, PECmd, AmcacheParser)

📦 Installation

Prerequisites

# Install uv (fast Python package manager)
curl -LsSf https://astral.sh/uv/install.sh | sh
source ~/.bashrc

# Ensure Python 3.10+
python3 --version

Install from PyPI

uv tool install winforensics - mcp

Install from source

git clone https://github.com/x746b/winforensics - mcp.git
cd winforensics - mcp

# Install with uv (recommended)
uv sync

# Or install with all optional extras
uv venv && source .venv/bin/activate
uv pip install -e ".[all]"

Verify

uv run python -m winforensics_mcp.server
# Should start without errors (Ctrl+C to exit)

💻 Usage Examples

Was This Binary Executed?

Investigate if mimikatz.exe was executed on the system at /mnt/evidence

The investigate_execution orchestrator checks Prefetch, Amcache, and SRUM:

{
  "target": "mimikatz.exe",
  "execution_confirmed": true,
  "confidence": "HIGH",
  "evidence": [
    {"source": "Prefetch", "finding": "Executed 3 times, last at 2024-03-15T14:23:45Z"},
    {"source": "Amcache", "finding": "SHA1: abc123..., First seen: 2024-03-14T09:00:00Z"},
    {"source": "SRUM", "finding": "Network: 15.2 MB sent; Foreground: 47 seconds"}
  ]
}

Hunt for IOC Across All Artifacts

Hunt for the hash 204bc44c651e17f65c95314e0b6dfee586b72089 in /mnt/evidence

The hunt_ioc tool searches Prefetch, Amcache, SRUM, MFT, USN, Browser, EVTX, and optionally YARA:

{
  "ioc": "204bc44c651e17f65c95314e0b6dfee586b72089",
  "ioc_type": "sha1",
  "found": true,
  "sources_with_hits": ["Amcache", "MFT"],
  "findings": [
    {"source": "Amcache", "matches": 1, "details": "bloodhound.exe"},
    {"source": "MFT", "matches": 1, "details": "Users\\Admin\\Downloads\\bloodhound.exe"}
  ]
}

📚 Documentation

Adding to Claude CLI

Installed from PyPI

claude mcp add winforensics - mcp --scope user -- uv run winforensics - mcp

Installed from sources

claude mcp add winforensics - mcp \
  --scope user \
  -- uv run --directory /path/to/winforensics - mcp python -m winforensics_mcp.server

Verify:

claude mcp list
# Should show winforensics - mcp

LLM Integration (CLAUDE.md)

For AI - assisted forensic analysis, include in your case directory. It provides:

Orchestrator - first guidance - Ensures LLMs use high - level tools before low - level parsers
Token efficiency - Reduces API costs by 50%+ through proper tool selection
Investigation workflow - Step - by - step methodology for consistent analysis

Usage

Copy CLAUDE.md to your case directory:

cp /path/to/winforensics - mcp/CLAUDE.md /your/case/directory/
# Edit paths in CLAUDE.md to match your case

The LLM will automatically follow the orchestrator - first approach:

Question	Orchestrator Used
"Was malware.exe executed?"	`investigate_execution`
"What did the user do?"	`investigate_user_activity`
"Find this hash everywhere"	`hunt_ioc`
"Build incident timeline"	`build_timeline`

Tool Reference

Orchestrators (High - Level Investigation)

Tool	Description
`investigate_execution`	Correlate Prefetch/Amcache/SRUM to prove binary execution
`investigate_user_activity`	Correlate Browser/ShellBags/LNK/RecentDocs for user activity
`hunt_ioc`	Hunt IOC (hash/filename/IP/domain) across all artifacts; `yara_scan = True` adds YARA threat intel
`build_timeline`	Build unified timeline from multiple artifact sources

Execution Artifacts

Tool	Description
`file_analyze_pe`	Static PE analysis - hashes, imports, exports, packer detection
`disk_parse_prefetch`	Parse Prefetch for execution evidence
`disk_parse_amcache`	Parse Amcache.hve for SHA1 hashes and timestamps
`disk_parse_srum`	Parse SRUDB.dat for app resource and network usage

Malware Detection (YARA)

Tool	Description
`yara_scan_file`	Scan file with 718 YARA rules (Mimikatz, CobaltStrike, webshells, APT, ransomware)
`yara_scan_directory`	Batch scan directory for malware
`yara_list_rules`	List available/bundled YARA rules

Threat Intelligence (VirusTotal)

Tool	Description
`vt_lookup_hash`	Look up file hash (MD5/SHA1/SHA256) on VirusTotal
`vt_lookup_ip`	Get IP address reputation and geolocation
`vt_lookup_domain`	Get domain reputation and categorization
`vt_lookup_file`	Calculate file hashes and look up on VirusTotal

Network Forensics (PCAP)

Tool	Description
`pcap_get_stats`	Get PCAP statistics - packet counts, protocols, top talkers
`pcap_get_conversations`	Extract TCP/UDP conversations with byte counts
`pcap_get_dns`	Extract DNS queries and responses
`pcap_get_http`	Extract HTTP requests with URLs, methods, user - agents
`pcap_search`	Search packet payloads for strings or regex patterns
`pcap_find_suspicious`	Detect C2 indicators, beaconing, DNS tunneling

API Monitor Capture Analysis (APMX)

Tool	Description
`apmx_parse`	Parse .apmx64/.apmx86 capture - process info, modules, call counts
`apmx_get_calls`	Extract API calls with filtering, pagination, and time range support
`apmx_get_call_details`	Detailed records with parameter values, return values, timestamps
`apmx_detect_patterns`	Detect attack patterns (injection, hollowing, credential dumping) with MITRE ATT&CK IDs
`apmx_correlate_handles`	Track handle producer/consumer chains across API calls
`apmx_get_injection_info`	Enriched injection chain extraction (target PID, shellcode size, technique)
`apmx_get_calls_around`	Context window of calls around a specific record
`apmx_search_params`	Search all records for a specific parameter value
`api_analyze_imports`	Full PE import analysis with pattern detection and MITRE ATT&CK mapping
`api_detect_patterns`	Detect attack patterns from PE import tables
`api_lookup`	Look up Windows API signature (26,944 APIs with params, DLL, category)
`api_search_category`	Browse APIs by category (e.g., "Process Injection", "File Management")

Packer Detection (DiE)

Tool	Description
`die_analyze_file`	Analyze file for packers, compilers, protectors, .NET
`die_scan_directory`	Batch scan directory for packed executables
`die_get_packer_info`	Get info about packer (difficulty, unpack tools)

File System

Tool	Description
`disk_parse_mft`	Parse $MFT with timestomping detection
`disk_parse_usn_journal`	Parse $J for file operations and deleted files

User Activity

Tool	Description
`browser_get_history`	Parse Edge/Chrome/Firefox history and downloads
`user_parse_lnk_files`	Parse Windows shortcuts for target paths
`user_parse_shellbags`	Parse ShellBags for folder navigation history

Event Logs

Tool	Description
`evtx_list_files`	List EVTX files in a directory
`evtx_get_stats`	Get event counts, time range, Event ID distribution
`evtx_search`	Search with filters (time, Event ID, keywords)
`evtx_security_search`	Pre - built security event searches (logon, process creation, etc.)
`evtx_attack_summary`	Compact TSV summary for rapid triage - one line per event, attack - relevant columns only
`evtx_explain_event_id`	Get Event ID description

Registry

Tool	Description
`registry_get_key`	Get specific key and values
`registry_search`	Search values by pattern
`registry_get_persistence`	Get Run keys and services
`registry_get_users`	Get user accounts from SAM
`registry_get_usb_history`	Get USB device history
`registry_get_system_info`	Get OS version, hostname, timezone
`registry_get_network`	Get network configuration

Utilities

Tool	Description
`ingest_parsed_csv`	Import Eric Zimmerman CSV output (MFTECmd, PECmd, AmcacheParser, SrumECmd)
`forensics_list_important_events`	List important Event IDs by channel
`forensics_list_registry_keys`	List forensic registry keys by category

Remote Collection

Tool	Description
`remote_collect_artifacts`	Collect artifacts via WinRM (password or pass - the - hash)
`remote_get_system_info`	Get remote system info

Configuration

VirusTotal API Key

# Option 1: Environment variable
export VIRUSTOTAL_API_KEY="your-api-key-here"

# Option 2: Config file
mkdir -p ~/.config/winforensics - mcp
echo "your-api-key-here" > ~/.config/winforensics - mcp/vt_api_key

Get your free API key at [virustotal.com](https://www.virustotal.com/gui/join - us). Free tier is rate - limited to 4 requests/minute; the client handles rate limiting and caches results for 24 hours.

Troubleshooting

DiE (Detect It Easy) not found

# Debian/Ubuntu
sudo apt install detect - it - easy

# Or download from https://github.com/horsicq/DIE - engine/releases

Remove MCP Server

claude mcp remove winforensics - mcp --scope user

📄 License

Credits: Rohitab Batra (API Monitor), [Neo23x0/signature - base](https://github.com/Neo23x0/signature - base) (YARA rules), [horsicq/DIE - engine](https://github.com/horsicq/DIE - engine) (Detect It Easy)

MIT License | xtk | Built for the DFIR community. No Windows required >)