WinForensics

关于

WinForensics is a powerful Model Context Protocol (MCP) server designed to streamline Windows digital forensics investigations with AI assistance. It allows forensic analysts to parse, analyze, and query various Windows artifacts, such as Event Logs (EVTX) and Registry hives, directly from AI clients like Claude CLI or Gemini CLI. The server also supports remote artifact collection via WinRM, provides built-in forensic reference knowledge, and enables efficient hunting for suspicious activities, enhancing the speed and depth of forensic analysis.

主要功能

• Built-in knowledge base of important Windows Event IDs and registry keys
• Seamless integration with MCP-compatible AI clients for interactive analysis
• 4 GitHub stars
• EVTX Parsing with filtering, search, and pre-built security queries
• Registry Analysis for SAM, SYSTEM, SOFTWARE, SECURITY, and NTUSER.DAT hives
• Remote artifact collection via WinRM with password or pass-the-hash authentication

使用案例

• Investigating user activities, system configurations, and persistence mechanisms by parsing Registry hives
• Conducting AI-assisted analysis of Windows Event Logs for security incident response
• Performing remote collection and analysis of Windows system artifacts from suspect machines