winforensics-mcp

Active·★ 18·MIT·Updated 2026-05-21

★ Trending★ API Integration

A comprehensive MCP server for Windows digital forensics on KALI Linux

WinForensics MCP is a comprehensive forensic toolkit that runs on Linux and natively parses Windows artifacts using pure Python libraries. It covers EVTX logs, registry, execution artifacts, file system, user activity, network forensics, and malware detection. High-level orchestrators enable efficient investigations like execution analysis, user activity correlation, IOC hunting, and timeline building.

#blueteam-tools#dfir#forensics-tools#mcp-server#mcp-servers#windows-forensics

Features

01Core forensics: EVTX log parsing, registry analysis, remote collection via WinRM

02Execution artifacts: PE analysis, Prefetch, Amcache, SRUM parsing

03File system artifacts: MFT, USN Journal, timeline building

04User activity: Browser history, LNK files, ShellBags, RecentDocs

05Malware detection: YARA scanning, VirusTotal lookup, DiE packer detection

Compatibility

Linux

Verified via docs

Quick start

$ curl -LsSf https://astral.sh/uv/install.sh | sh

$ source ~/.bashrc

$ uv tool install winforensics-mcp

Use cases

↳Determine if a specific binary was executed on a Windows system

↳Reconstruct user activity timeline from browser, shellbags, and shortcuts

↳Search for indicators of compromise (hashes, filenames, IPs, domains) across all artifacts

Alternatives

fastmcp★ 25.4k

🚀 The fast, Pythonic way to build MCP servers and clients.

Features

Compatibility

Quick start

Use cases

Alternatives

Related searches

Comments

Features

Compatibility

Quick start

Use cases

Alternatives

Related searches

Comments