winforensics-mcp
JSON →A comprehensive MCP server for Windows digital forensics on KALI Linux
Install
pip install -e Tools · 6
- investigate_execution Correlates Prefetch + Amcache + SRUM to answer 'Was this binary executed?'
- investigate_user_activity Correlates Browser + ShellBags + LNK + RecentDocs for user activity timeline
- hunt_ioc Searches for IOC (hash/filename/IP/domain) across ALL artifact sources + optional YARA scanning
- hunt_ioc_pack Hunts behavioral IoCs from bundled/external metadata packs such as impacket-iocs
- build_timeline Builds unified forensic timeline from multiple sources
- ingest_parsed_csv Import Eric Zimmerman tool CSV output (MFTECmd, PECmd, AmcacheParser)
Environment variables
VIRUSTOTAL_API_KEY
Links
★ 18 GitHub stars