概要
What is Winforensics Mcp?
Winforensics Mcp is a Windows DFIR toolkit designed entirely for Linux environments with zero Windows tool dependencies. It parses Windows artifacts (EVTX logs, Registry, MFT, Prefetch, Amcache, SRUM, browser data, LNK files, ShellBags, PCAP, etc.) using pure Python libraries and integrates with MCP-compatible clients like Claude for AI-assisted forensic analysis.
How to use Winforensics Mcp?
Install via uv sync (or pip), then add the server to Claude CLI using claude mcp add or by editing ~/.claude.json. Place a CLAUDE.md file in your case directory to guide the LLM in using orchestrators efficiently. Invoke tools by asking natural language questions (e.g., "Was this binary executed?") or using the provided tools directly.
Key features of Winforensics Mcp
- Parse EVTX logs with filtering and pre-built security queries
- Analyze Registry hives: SAM, SYSTEM, SOFTWARE, SECURITY, NTUSER.DAT
- Correlate Prefetch, Amcache, and SRUM for execution evidence
- Extract MFT with timestomping detection and USN Journal
- Investigate user activity: Browser, LNK, ShellBags, RecentDocs
- Analyze PCAP/PCAPNG files for suspicious network activity
- Scan files with 718 YARA rules from signature-base
- Look up hashes, IPs, domains on VirusTotal with caching
- Detect packers and compilers via Detect It Easy (DiE)
- Ingest Eric Zimmerman tool CSV output (MFTECmd, PECmd, etc.)
Use cases of Winforensics Mcp
- Confirm whether a specific binary was executed on the system
- Hunt for an IOC (hash, filename, IP, domain) across all artifact sources
- Build a unified forensic timeline from multiple artifact types
- Investigate a user's activity – browser history, folder navigation, recent documents
- Detect timestomping in the MFT or analyze network captures for C2 indicators
FAQ from Winforensics Mcp
What artifacts can Winforensics Mcp parse?
It parses EVTX logs, Registry hives (SAM, SYSTEM, SOFTWARE, SECURITY, NTUSER.DAT), MFT, USN Journal, Prefetch, Amcache, SRUM, browser history/downloads (Chrome, Edge, Firefox), LNK files, ShellBags, RecentDocs, and PCAP/PCAPNG files.
What are the orchestrators and why use them?
The four orchestrators are investigate_execution, investigate_user_activity, hunt_ioc, and build_timeline. They combine multiple low-level parsers to answer high-level questions, reducing API cost and improving analysis consistency.
Does Winforensics Mcp require Windows or commercial tools?
No. It is built entirely for Linux and uses pure Python libraries. No Wine, Mono, or commercial forensic suites are needed. It can also import CSV output from Eric Zimmerman tools if you already have those exports.
How do I add malware detection capabilities?
Install optional dependencies: .[yara] for YARA scanning, .[virustotal] for VirusTotal lookups, and .[pcap] for PCAP analysis. Use uv pip install -e ".[all]" to install everything.
How do I connect Winforensics Mcp to Claude CLI?
Run claude mcp add winforensics-mcp --scope user -- uv run --directory /path/to/winforensics-mcp python -m winforensics_mcp.server or add the corresponding JSON entry to ~/.claude.json.