The Windows Forensics MCP Server is a Linux-native, Python-based toolkit for comprehensive Windows Digital Forensics and Incident Response, enabling artifact parsing and AI-assisted analysis without Windows dependencies.
Core Capabilities:
Event Log Analysis (EVTX): List/discover EVTX files, generate statistics (event counts, time ranges, Event ID distributions), search with advanced filtering (time, Event ID, keywords, providers), execute pre-built security queries (logons, process creation, lateral movement, credential access, log clearing, etc.), and get Event ID explanations.
Registry Forensics: Read keys/values from offline hives (SAM, SYSTEM, SOFTWARE, SECURITY, NTUSER.DAT), search by pattern, extract persistence mechanisms (Run keys, services), parse user accounts, analyze USB device history, retrieve system information (OS version, computer name, timezone), and extract network configuration.
Execution Artifact Analysis: Perform static PE analysis (hashes, imports, exports, packer detection), parse Prefetch files, extract SHA1 hashes and timestamps from Amcache.hve, and analyze SRUDB.dat for application resource usage and network activity.
File System Forensics: Parse Master File Table (MFT) with timestomping detection and USN Journal for file operations and deleted file recovery.
User Activity Tracking: Parse browser history and downloads (Edge, Chrome, Firefox), analyze LNK files, examine ShellBags for folder navigation, and correlate RecentDocs.
Orchestrated Investigations: Correlate multiple artifacts to prove binary execution, hunt for IOCs (hashes, filenames, IPs, domains) across all sources, build unified forensic timelines, and map comprehensive user activity timelines.
Remote Collection: Collect artifacts and system information via WinRM (password or pass-the-hash authentication).
Data Import: Ingest CSV output from Eric Zimmerman tools (MFTECmd, PECmd, AmcacheParser, SrumECmd) for workflow integration.
Forensic Reference: List important Event IDs by channel and forensically significant registry keys by category.
Enables forensic analysis of Firefox browser history and downloads to reconstruct user activity on Windows systems.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Windows Forensics MCP Servershow me failed logon attempts in Security.evtx"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Windows Forensics MCP Server
Windows DFIR from Linux - A comprehensive forensics toolkit designed entirely for Linux environments with zero Windows tool dependencies. Parse Windows artifacts natively using pure Python libraries.
Related Projects
mem_forensics-mcp - Unified Memory Forensics MCP Server - Multi-tier engine combining Rust speed with Vol3 coverage
mac_forensics-mcp - macOS DFIR - Unified Logs, FSEvents, Spotlight, Plists, SQLite databases, Extended Attributes
Features
Core Forensics
Category | Capabilities |
EVTX Logs | Parse Windows Event Logs with filtering, search, and pre-built security queries |
Registry | Analyze SAM, SYSTEM, SOFTWARE, SECURITY, NTUSER.DAT hives |
Remote Collection | Collect artifacts via WinRM (password or pass-the-hash) |
Execution Artifacts
Category | Capabilities |
PE Analysis | Static analysis with hashes (MD5/SHA1/SHA256/imphash), imports, exports, packer detection |
Prefetch | Execution evidence with run counts, timestamps, loaded files |
Amcache | SHA1 hashes and first-seen timestamps from Amcache.hve |
SRUM | Application resource usage, CPU time, network activity from SRUDB.dat |
File System Artifacts
Category | Capabilities |
MFT | Master File Table parsing with timestomping detection |
USN Journal | Change journal for file operations and deleted file recovery |
Timeline | Unified timeline from MFT, USN, Prefetch, Amcache, EVTX |
User Activity
Category | Capabilities |
Browser | Edge, Chrome, Firefox history and downloads |
LNK Files | Windows shortcut analysis for recently accessed files |
ShellBags | Folder navigation history with suspicious path detection |
RecentDocs | Registry-based recent document tracking |
Network Forensics
Category | Capabilities |
PCAP Analysis | Parse PCAP/PCAPNG files - conversations, DNS queries, HTTP requests, suspicious connections |
API Monitor Capture Analysis
Category | Capabilities |
APMX Parsing | Parse API Monitor captures (.apmx64/.apmx86) - process metadata, API call extraction, parameter values |
Pattern Detection | Detect injection, hollowing, credential dumping, and other attack patterns from captured API call sequences with MITRE ATT&CK mapping |
Handle Correlation | Track handle values across calls to reconstruct attack chains (OpenProcess -> VirtualAllocEx -> WriteProcessMemory -> CreateRemoteThread) |
Injection Analysis | Extract enriched injection chain details: target PID/process, shellcode size, allocation addresses, technique classification |
API Knowledge Base | 26,944 Windows API definitions with parameter signatures, DLL mappings, and category browsing |
Malware Detection
Category | Capabilities |
YARA Scanning | 718 rules from signature-base - APT, ransomware, webshells, hacktools |
VirusTotal | Hash/IP/domain reputation lookups with caching and rate limiting (free tier supported) |
DiE Integration | Detect packers (UPX, Themida, VMProtect), compilers, .NET, installers via Detect It Easy |
Orchestrators
Tool | What It Does |
| Correlates Prefetch + Amcache + SRUM to answer "Was this binary executed?" |
| Correlates Browser + ShellBags + LNK + RecentDocs for user activity timeline |
| Searches for IOC (hash/filename/IP/domain) across ALL artifact sources + optional YARA scanning |
| Builds unified forensic timeline from multiple sources |
Utilities
Tool | What It Does |
| Import Eric Zimmerman tool CSV output (MFTECmd, PECmd, AmcacheParser) |
Installation
Prerequisites
Install from PyPI
Install from source
Verify
Adding to Claude CLI
Installed from PyPI
Installed from sources
Verify:
LLM Integration (CLAUDE.md)
For AI-assisted forensic analysis, include CLAUDE.md in your case directory. It provides:
Orchestrator-first guidance - Ensures LLMs use high-level tools before low-level parsers
Token efficiency - Reduces API costs by 50%+ through proper tool selection
Investigation workflow - Step-by-step methodology for consistent analysis
Usage
Copy CLAUDE.md to your case directory:
The LLM will automatically follow the orchestrator-first approach:
Question | Orchestrator Used |
"Was malware.exe executed?" |
|
"What did the user do?" |
|
"Find this hash everywhere" |
|
"Build incident timeline" |
|
Quick Start Examples
Was This Binary Executed?
The investigate_execution orchestrator checks Prefetch, Amcache, and SRUM:
Hunt for IOC Across All Artifacts
The hunt_ioc tool searches Prefetch, Amcache, SRUM, MFT, USN, Browser, EVTX, and optionally YARA:
Tool Reference
Orchestrators (High-Level Investigation)
Tool | Description |
| Correlate Prefetch/Amcache/SRUM to prove binary execution |
| Correlate Browser/ShellBags/LNK/RecentDocs for user activity |
| Hunt IOC (hash/filename/IP/domain) across all artifacts; |
| Build unified timeline from multiple artifact sources |
Execution Artifacts
Tool | Description |
| Static PE analysis - hashes, imports, exports, packer detection |
| Parse Prefetch for execution evidence |
| Parse Amcache.hve for SHA1 hashes and timestamps |
| Parse SRUDB.dat for app resource and network usage |
Malware Detection (YARA)
Tool | Description |
| Scan file with 718 YARA rules (Mimikatz, CobaltStrike, webshells, APT, ransomware) |
| Batch scan directory for malware |
| List available/bundled YARA rules |
Threat Intelligence (VirusTotal)
Tool | Description |
| Look up file hash (MD5/SHA1/SHA256) on VirusTotal |
| Get IP address reputation and geolocation |
| Get domain reputation and categorization |
| Calculate file hashes and look up on VirusTotal |
Network Forensics (PCAP)
Tool | Description |
| Get PCAP statistics - packet counts, protocols, top talkers |
| Extract TCP/UDP conversations with byte counts |
| Extract DNS queries and responses |
| Extract HTTP requests with URLs, methods, user-agents |
| Search packet payloads for strings or regex patterns |
| Detect C2 indicators, beaconing, DNS tunneling |
API Monitor Capture Analysis (APMX)
Tool | Description |
| Parse .apmx64/.apmx86 capture - process info, modules, call counts |
| Extract API calls with filtering, pagination, and time range support |
| Detailed records with parameter values, return values, timestamps |
| Detect attack patterns (injection, hollowing, credential dumping) with MITRE ATT&CK IDs |
| Track handle producer/consumer chains across API calls |
| Enriched injection chain extraction (target PID, shellcode size, technique) |
| Context window of calls around a specific record |
| Search all records for a specific parameter value |
| Full PE import analysis with pattern detection and MITRE ATT&CK mapping |
| Detect attack patterns from PE import tables |
| Look up Windows API signature (26,944 APIs with params, DLL, category) |
| Browse APIs by category (e.g., "Process Injection", "File Management") |
Packer Detection (DiE)
Tool | Description |
| Analyze file for packers, compilers, protectors, .NET |
| Batch scan directory for packed executables |
| Get info about packer (difficulty, unpack tools) |
File System
Tool | Description |
| Parse $MFT with timestomping detection |
| Parse $J for file operations and deleted files |
User Activity
Tool | Description |
| Parse Edge/Chrome/Firefox history and downloads |
| Parse Windows shortcuts for target paths |
| Parse ShellBags for folder navigation history |
Event Logs
Tool | Description |
| List EVTX files in a directory |
| Get event counts, time range, Event ID distribution |
| Search with filters (time, Event ID, keywords) |
| Pre-built security event searches (logon, process creation, etc.) |
| Get Event ID description |
Registry
Tool | Description |
| Get specific key and values |
| Search values by pattern |
| Get Run keys and services |
| Get user accounts from SAM |
| Get USB device history |
| Get OS version, hostname, timezone |
| Get network configuration |
Utilities
Tool | Description |
| Import Eric Zimmerman CSV output (MFTECmd, PECmd, AmcacheParser, SrumECmd) |
| List important Event IDs by channel |
| List forensic registry keys by category |
Remote Collection
Tool | Description |
| Collect artifacts via WinRM (password or pass-the-hash) |
| Get remote system info |
Configuration
VirusTotal API Key
Get your free API key at virustotal.com. Free tier is rate-limited to 4 requests/minute; the client handles rate limiting and caches results for 24 hours.
Troubleshooting
DiE (Detect It Easy) not found
Remove MCP Server
License
Credits: Rohitab Batra (API Monitor), Neo23x0/signature-base (YARA rules), horsicq/DIE-engine (Detect It Easy)
MIT License | xtk | Built for the DFIR community. No Windows required >)
