List all EVTX (Windows Event Log) files in a directory.

Get statistics about an EVTX file: event counts, time range, Event ID distribution.

Search events from EVTX file. Filter by time, Event ID, keywords, provider. Supports pagination with offset.

Search for security events by type: logon, failed_logon, process_creation, etc. Supports pagination with offset.

Compact TSV summary of security events for rapid triage. Returns one tab-separated line per event with only attack-relevant columns. Fits entire attack chains in a single call. Types: process_creation (Timestamp|User|ParentProcess|CommandLine), logon (Timestamp|User|SourceIP|LogonType), account_created (Timestamp|NewUser|CreatedBy), scheduled_task, service_installed.

Get description of a Windows Event ID.

Get registry key and values from a hive file.

Search registry values by pattern.

Get persistence mechanisms (Run keys, services) from registry.

Get user accounts from SAM hive.

Get USB device history from SYSTEM hive.

Get OS version, computer name, timezone from registry.

Get network configuration from SYSTEM hive.

List important Event IDs for a log channel.

List forensically important registry keys.

Perform static analysis on Windows PE files (EXE/DLL/SYS). Extracts headers, imports, exports, sections, calculates hashes (MD5/SHA1/SHA256/Imphash), and detects packers/suspicious indicators.

Detailed PE import analysis with pattern detection and API enrichment. Extracts all imports, detects injection/evasion/persistence patterns with MITRE ATT&CK mapping, and optionally enriches with API definitions.

Look up Windows API definition (signature, params, DLL, category) from the API Monitor knowledge base. Supports wildcards (e.g., 'Create*').

Browse/search Windows APIs by category. Categories are hierarchical (e.g., 'Data Access and Storage/Local File Systems/File Management').

Detect injection/evasion/persistence API patterns from PE imports. Returns matched patterns with MITRE ATT&CK technique IDs and risk levels.

Parse Rohitab API Monitor capture file (.apmx64/.apmx86). Returns process info (name, PID, path, command line), loaded modules, and API call count. Use this first to understand what's in a capture.

Extract API call records from an APMX capture with filtering and pagination. Each record shows the top-level API and any nested calls made within it.

Detect injection/evasion/persistence patterns in APMX captured API calls. Analyzes runtime behavior (actually-called APIs) against known attack patterns with MITRE ATT&CK technique IDs. Returns risk level and suspicious call timeline.

Extract detailed API call records with parameter values, return values, and timestamps from an APMX capture. Shows pre-call and post-call parameter values, identifies return values by comparing pre/post state, and extracts embedded strings. Use call_indices for specific records or api_filter to search.

Track handle values across API calls to reconstruct operation chains. Identifies handle-producing APIs (OpenProcess, CreateFile, etc.) and traces where those handles are consumed (VirtualAllocEx, WriteProcessMemory, etc.). Reveals attack chains like: OpenProcess -> VirtualAllocEx -> WriteProcessMemory -> CreateRemoteThread.

Extract enriched injection chain details from an APMX capture. Returns target PID, target process name, shellcode size (requested vs aligned), start address, and injection technique label. Wraps handle correlation with parameter decoding for a forensic-friendly summary.

Get a context window of API calls around a specific record index. Returns detailed call records in the range [call_index-before, call_index+after]. Useful for understanding what happened immediately before and after a suspicious call.

Search API calls by parameter value in an APMX capture. Finds all calls where a specific integer (e.g., PID, handle, size) or string appears as a parameter value. Returns matching calls with the matched parameters highlighted.

Parse Windows Prefetch files to determine program execution history, run counts, and last execution times. Can parse a single .pf file or an entire Prefetch directory. Supports pagination.

Parse Amcache.hve to extract program execution evidence with SHA1 hashes, file paths, and timestamps. Proves a file existed and was prepared for execution.

Parse SRUDB.dat for application resource usage including CPU time, network bytes sent/received, and foreground time. Answers: How long did this program run? What was its network activity?

Comprehensive execution analysis. Correlates Prefetch, Amcache, and SRUM to prove or disprove binary execution. Answers: Was this binary executed? When? How long did it run? Provides confidence scoring and unified timeline.

Build comprehensive forensic timeline from multiple artifact sources (MFT, USN Journal, Prefetch, Amcache, EVTX). Returns sorted, deduplicated events. Answers: What happened and when? Provides unified chronological view of system activity.

Hunt for IOC (hash, filename, IP, domain) across all forensic artifacts. Searches Prefetch, Amcache, SRUM, MFT, USN Journal, Browser History, EVTX logs, and optionally YARA rules. Answers: Where does this IOC appear? Was this file/hash/domain seen on the system? Is it known malware?

Comprehensive user activity investigation. Correlates Browser History, ShellBags, LNK files, and RecentDocs to build a complete picture of user activity. Answers: What did the user browse? What files did they access? What folders did they navigate?

Import pre-parsed CSV from Eric Zimmerman tools (MFTECmd, PECmd, AmcacheParser, SrumECmd) for querying. Auto-detects CSV type by column headers. Useful when you already have parsed output from EZ tools.

Parse $MFT (Master File Table) for file metadata and timestomping detection. Compares $STANDARD_INFORMATION and $FILE_NAME timestamps to identify manipulation. Answers: When was this file actually created? Has it been timestomped?

Parse $UsnJrnl:$J (USN Journal) for file system change history. Records file creation, deletion, modification, and rename operations. Answers: What files were created/deleted/renamed? When did file changes occur?

Parse browser history and downloads from Edge, Chrome, or Firefox. Answers: What URLs did the user visit? What files were downloaded? Where did downloads originate from?

Parse Windows shortcut (.lnk) files to determine target paths, access times, and volume information. Answers: What files did the user access recently? What were the original file locations?

Parse ShellBags from UsrClass.dat to reveal folder navigation history. Shows which folders a user browsed in Windows Explorer with timestamps. Answers: Which folders did the user access? When did they browse suspicious paths?