Winforensics Mcp
@x746b
About Winforensics Mcp
No overview available yet
Basic information
Config
Add this server to your MCP-compatible client using the configuration below.
{
"mcpServers": {
"winforensics-mcp": {
"command": "uv",
"args": [
"run",
"--directory",
"/path/to/winforensics-mcp",
"python",
"-m",
"winforensics_mcp.server"
]
}
}
}Tools
No tools detected
We auto-extract tools from the README. The maintainer can list them under a ## Tools heading to populate this section.
Overview
What is Winforensics Mcp?
Winforensics Mcp is a Windows DFIR toolkit designed entirely for Linux environments with zero Windows tool dependencies. It parses Windows artifacts (EVTX logs, Registry, MFT, Prefetch, Amcache, SRUM, browser data, LNK files, ShellBags, PCAP, etc.) using pure Python libraries and integrates with MCP-compatible clients like Claude for AI-assisted forensic analysis.
How to use Winforensics Mcp?
Install via uv sync (or pip), then add the server to Claude CLI using claude mcp add or by editing ~/.claude.json. Place a CLAUDE.md file in your case directory to guide the LLM in using orchestrators efficiently. Invoke tools by asking natural language questions (e.g., "Was this binary executed?") or using the provided tools directly.
Key features of Winforensics Mcp
- Parse EVTX logs with filtering and pre-built security queries
- Analyze Registry hives: SAM, SYSTEM, SOFTWARE, SECURITY, NTUSER.DAT
- Correlate Prefetch, Amcache, and SRUM for execution evidence
- Extract MFT with timestomping detection and USN Journal
- Investigate user activity: Browser, LNK, ShellBags, RecentDocs
- Analyze PCAP/PCAPNG files for suspicious network activity
- Scan files with 718 YARA rules from signature-base
- Look up hashes, IPs, domains on VirusTotal with caching
- Detect packers and compilers via Detect It Easy (DiE)
- Ingest Eric Zimmerman tool CSV output (MFTECmd, PECmd, etc.)
Use cases of Winforensics Mcp
- Confirm whether a specific binary was executed on the system
- Hunt for an IOC (hash, filename, IP, domain) across all artifact sources
- Build a unified forensic timeline from multiple artifact types
- Investigate a user's activity – browser history, folder navigation, recent documents
- Detect timestomping in the MFT or analyze network captures for C2 indicators
FAQ from Winforensics Mcp
What artifacts can Winforensics Mcp parse?
It parses EVTX logs, Registry hives (SAM, SYSTEM, SOFTWARE, SECURITY, NTUSER.DAT), MFT, USN Journal, Prefetch, Amcache, SRUM, browser history/downloads (Chrome, Edge, Firefox), LNK files, ShellBags, RecentDocs, and PCAP/PCAPNG files.
What are the orchestrators and why use them?
The four orchestrators are investigate_execution, investigate_user_activity, hunt_ioc, and build_timeline. They combine multiple low-level parsers to answer high-level questions, reducing API cost and improving analysis consistency.
Does Winforensics Mcp require Windows or commercial tools?
No. It is built entirely for Linux and uses pure Python libraries. No Wine, Mono, or commercial forensic suites are needed. It can also import CSV output from Eric Zimmerman tools if you already have those exports.
How do I add malware detection capabilities?
Install optional dependencies: .[yara] for YARA scanning, .[virustotal] for VirusTotal lookups, and .[pcap] for PCAP analysis. Use uv pip install -e ".[all]" to install everything.
How do I connect Winforensics Mcp to Claude CLI?
Run claude mcp add winforensics-mcp --scope user -- uv run --directory /path/to/winforensics-mcp python -m winforensics_mcp.server or add the corresponding JSON entry to ~/.claude.json.
More Other MCP servers
Mcp
browsermcpBrowser MCP is a Model Context Provider (MCP) server that allows AI applications to control your browser
Awesome Mcp Servers
punkpeyeA collection of MCP servers.
Inbox Zero AI
elie222The world's best AI personal assistant for email. Open source app to help you reach inbox zero fast.
Maestro
mobile-dev-incPainless E2E Automation for Mobile and Web
Awesome Mlops
visengerA curated list of references for MLOps
Comments