MCP.so
登录
W

Winforensics Mcp

@x746b

关于 Winforensics Mcp

暂无概览

基本信息

分类

其他

传输方式

stdio

发布者

x746b

提交者

xtk

配置

使用下面的配置,将此服务器添加到你的 MCP 客户端。

{
  "mcpServers": {
    "winforensics-mcp": {
      "command": "uv",
      "args": [
        "run",
        "--directory",
        "/path/to/winforensics-mcp",
        "python",
        "-m",
        "winforensics_mcp.server"
      ]
    }
  }
}

工具

未检测到工具

工具是从 README 中自动提取的。维护者可以在 ## Tools 标题下列出工具,即可填充这部分内容。

概览

What is Winforensics Mcp?

Winforensics Mcp is a Windows DFIR toolkit designed entirely for Linux environments with zero Windows tool dependencies. It parses Windows artifacts (EVTX logs, Registry, MFT, Prefetch, Amcache, SRUM, browser data, LNK files, ShellBags, PCAP, etc.) using pure Python libraries and integrates with MCP-compatible clients like Claude for AI-assisted forensic analysis.

How to use Winforensics Mcp?

Install via uv sync (or pip), then add the server to Claude CLI using claude mcp add or by editing ~/.claude.json. Place a CLAUDE.md file in your case directory to guide the LLM in using orchestrators efficiently. Invoke tools by asking natural language questions (e.g., "Was this binary executed?") or using the provided tools directly.

Key features of Winforensics Mcp

  • Parse EVTX logs with filtering and pre-built security queries
  • Analyze Registry hives: SAM, SYSTEM, SOFTWARE, SECURITY, NTUSER.DAT
  • Correlate Prefetch, Amcache, and SRUM for execution evidence
  • Extract MFT with timestomping detection and USN Journal
  • Investigate user activity: Browser, LNK, ShellBags, RecentDocs
  • Analyze PCAP/PCAPNG files for suspicious network activity
  • Scan files with 718 YARA rules from signature-base
  • Look up hashes, IPs, domains on VirusTotal with caching
  • Detect packers and compilers via Detect It Easy (DiE)
  • Ingest Eric Zimmerman tool CSV output (MFTECmd, PECmd, etc.)

Use cases of Winforensics Mcp

  • Confirm whether a specific binary was executed on the system
  • Hunt for an IOC (hash, filename, IP, domain) across all artifact sources
  • Build a unified forensic timeline from multiple artifact types
  • Investigate a user's activity – browser history, folder navigation, recent documents
  • Detect timestomping in the MFT or analyze network captures for C2 indicators

FAQ from Winforensics Mcp

What artifacts can Winforensics Mcp parse?

It parses EVTX logs, Registry hives (SAM, SYSTEM, SOFTWARE, SECURITY, NTUSER.DAT), MFT, USN Journal, Prefetch, Amcache, SRUM, browser history/downloads (Chrome, Edge, Firefox), LNK files, ShellBags, RecentDocs, and PCAP/PCAPNG files.

What are the orchestrators and why use them?

The four orchestrators are investigate_execution, investigate_user_activity, hunt_ioc, and build_timeline. They combine multiple low-level parsers to answer high-level questions, reducing API cost and improving analysis consistency.

Does Winforensics Mcp require Windows or commercial tools?

No. It is built entirely for Linux and uses pure Python libraries. No Wine, Mono, or commercial forensic suites are needed. It can also import CSV output from Eric Zimmerman tools if you already have those exports.

How do I add malware detection capabilities?

Install optional dependencies: .[yara] for YARA scanning, .[virustotal] for VirusTotal lookups, and .[pcap] for PCAP analysis. Use uv pip install -e ".[all]" to install everything.

How do I connect Winforensics Mcp to Claude CLI?

Run claude mcp add winforensics-mcp --scope user -- uv run --directory /path/to/winforensics-mcp python -m winforensics_mcp.server or add the corresponding JSON entry to ~/.claude.json.

评论

其他 分类下的更多 MCP 服务器