MCP Servers

A collection of Model Context Protocol servers, templates, tools and more.

W
Winforensics MCP
by @x746b
GitHub Repo(2 stars)

A comprehensive Model Context Protocol (MCP) server for Windows digital forensics, enabling AI-assisted analysis of Windows artifacts directly from Claude CLI or any MCP-compatible client.

Created 1/6/2026
Updated about 2 months ago
README
View Source
Repository documentation and setup instructions
WinForensics MCP

Windows Forensics MCP Server

Windows DFIR from Linux - A comprehensive forensics toolkit designed entirely for Linux environments with zero Windows tool dependencies. Parse Windows artifacts natively using pure Python libraries.

Related Projects

  • mem_forensics-mcp - Unified Memory Forensics MCP Server - Multi-tier engine combining Rust speed with Vol3 coverage
  • mac_forensics-mcp - macOS DFIR - Unified Logs, FSEvents, Spotlight, Plists, SQLite databases, Extended Attributes

Features

Core Forensics

| Category | Capabilities | |----------|--------------| | EVTX Logs | Parse Windows Event Logs with filtering, search, and pre-built security queries | | Registry | Analyze SAM, SYSTEM, SOFTWARE, SECURITY, NTUSER.DAT hives | | Remote Collection | Collect artifacts via WinRM (password or pass-the-hash) |

Execution Artifacts

| Category | Capabilities | |----------|--------------| | PE Analysis | Static analysis with hashes (MD5/SHA1/SHA256/imphash), imports, exports, packer detection | | Prefetch | Execution evidence with run counts, timestamps, loaded files | | Amcache | SHA1 hashes and first-seen timestamps from Amcache.hve | | SRUM | Application resource usage, CPU time, network activity from SRUDB.dat |

File System Artifacts

| Category | Capabilities | |----------|--------------| | MFT | Master File Table parsing with timestomping detection | | USN Journal | Change journal for file operations and deleted file recovery | | Timeline | Unified timeline from MFT, USN, Prefetch, Amcache, EVTX |

User Activity

| Category | Capabilities | |----------|--------------| | Browser | Edge, Chrome, Firefox history and downloads | | LNK Files | Windows shortcut analysis for recently accessed files | | ShellBags | Folder navigation history with suspicious path detection | | RecentDocs | Registry-based recent document tracking |

Network Forensics

| Category | Capabilities | |----------|--------------| | PCAP Analysis | Parse PCAP/PCAPNG files - conversations, DNS queries, HTTP requests, suspicious connections |

API Monitor Capture Analysis

| Category | Capabilities | |----------|--------------| | APMX Parsing | Parse API Monitor captures (.apmx64/.apmx86) - process metadata, API call extraction, parameter values | | Pattern Detection | Detect injection, hollowing, credential dumping, and other attack patterns from captured API call sequences with MITRE ATT&CK mapping | | Handle Correlation | Track handle values across calls to reconstruct attack chains (OpenProcess -> VirtualAllocEx -> WriteProcessMemory -> CreateRemoteThread) | | Injection Analysis | Extract enriched injection chain details: target PID/process, shellcode size, allocation addresses, technique classification | | API Knowledge Base | 26,944 Windows API definitions with parameter signatures, DLL mappings, and category browsing |

Malware Detection

| Category | Capabilities | |----------|--------------| | YARA Scanning | 718 rules from signature-base - APT, ransomware, webshells, hacktools | | VirusTotal | Hash/IP/domain reputation lookups with caching and rate limiting (free tier supported) | | DiE Integration | Detect packers (UPX, Themida, VMProtect), compilers, .NET, installers via Detect It Easy |

Orchestrators

| Tool | What It Does | |------|--------------| | investigate_execution | Correlates Prefetch + Amcache + SRUM to answer "Was this binary executed?" | | investigate_user_activity | Correlates Browser + ShellBags + LNK + RecentDocs for user activity timeline | | hunt_ioc | Searches for IOC (hash/filename/IP/domain) across ALL artifact sources + optional YARA scanning | | build_timeline | Builds unified forensic timeline from multiple sources |

Utilities

| Tool | What It Does | |------|--------------| | ingest_parsed_csv | Import Eric Zimmerman tool CSV output (MFTECmd, PECmd, AmcacheParser) |

Installation

Prerequisites

# Install uv (fast Python package manager)
curl -LsSf https://astral.sh/uv/install.sh | sh
source ~/.bashrc

# Ensure Python 3.10+
python3 --version

Install from PyPI

uv tool install winforensics-mcp

Install from source

git clone https://github.com/x746b/winforensics-mcp.git
cd winforensics-mcp

# Install with uv (recommended)
uv sync

# Or install with all optional extras
uv venv && source .venv/bin/activate
uv pip install -e ".[all]"

Verify

uv run python -m winforensics_mcp.server
# Should start without errors (Ctrl+C to exit)

Adding to Claude CLI

Installed from PyPI

claude mcp add winforensics-mcp --scope user -- uv run winforensics-mcp

Installed from sources

claude mcp add winforensics-mcp \
  --scope user \
  -- uv run --directory /path/to/winforensics-mcp python -m winforensics_mcp.server

Verify:

claude mcp list
# Should show winforensics-mcp

LLM Integration (CLAUDE.md)

For AI-assisted forensic analysis, include CLAUDE.md in your case directory. It provides:

  • Orchestrator-first guidance - Ensures LLMs use high-level tools before low-level parsers
  • Token efficiency - Reduces API costs by 50%+ through proper tool selection
  • Investigation workflow - Step-by-step methodology for consistent analysis

Usage

Copy CLAUDE.md to your case directory:

cp /path/to/winforensics-mcp/CLAUDE.md /your/case/directory/
# Edit paths in CLAUDE.md to match your case

The LLM will automatically follow the orchestrator-first approach:

| Question | Orchestrator Used | |----------|------------------| | "Was malware.exe executed?" | investigate_execution | | "What did the user do?" | investigate_user_activity | | "Find this hash everywhere" | hunt_ioc | | "Build incident timeline" | build_timeline |

Quick Start Examples

Was This Binary Executed?

Investigate if mimikatz.exe was executed on the system at /mnt/evidence

The investigate_execution orchestrator checks Prefetch, Amcache, and SRUM:

{
  "target": "mimikatz.exe",
  "execution_confirmed": true,
  "confidence": "HIGH",
  "evidence": [
    {"source": "Prefetch", "finding": "Executed 3 times, last at 2024-03-15T14:23:45Z"},
    {"source": "Amcache", "finding": "SHA1: abc123..., First seen: 2024-03-14T09:00:00Z"},
    {"source": "SRUM", "finding": "Network: 15.2 MB sent; Foreground: 47 seconds"}
  ]
}

Hunt for IOC Across All Artifacts

Hunt for the hash 204bc44c651e17f65c95314e0b6dfee586b72089 in /mnt/evidence

The hunt_ioc tool searches Prefetch, Amcache, SRUM, MFT, USN, Browser, EVTX, and optionally YARA:

{
  "ioc": "204bc44c651e17f65c95314e0b6dfee586b72089",
  "ioc_type": "sha1",
  "found": true,
  "sources_with_hits": ["Amcache", "MFT"],
  "findings": [
    {"source": "Amcache", "matches": 1, "details": "bloodhound.exe"},
    {"source": "MFT", "matches": 1, "details": "Users\\Admin\\Downloads\\bloodhound.exe"}
  ]
}

Tool Reference

Orchestrators (High-Level Investigation)

| Tool | Description | |------|-------------| | investigate_execution | Correlate Prefetch/Amcache/SRUM to prove binary execution | | investigate_user_activity | Correlate Browser/ShellBags/LNK/RecentDocs for user activity | | hunt_ioc | Hunt IOC (hash/filename/IP/domain) across all artifacts; yara_scan=True adds YARA threat intel | | build_timeline | Build unified timeline from multiple artifact sources |

Execution Artifacts

| Tool | Description | |------|-------------| | file_analyze_pe | Static PE analysis - hashes, imports, exports, packer detection | | disk_parse_prefetch | Parse Prefetch for execution evidence | | disk_parse_amcache | Parse Amcache.hve for SHA1 hashes and timestamps | | disk_parse_srum | Parse SRUDB.dat for app resource and network usage |

Malware Detection (YARA)

| Tool | Description | |------|-------------| | yara_scan_file | Scan file with 718 YARA rules (Mimikatz, CobaltStrike, webshells, APT, ransomware) | | yara_scan_directory | Batch scan directory for malware | | yara_list_rules | List available/bundled YARA rules |

Threat Intelligence (VirusTotal)

| Tool | Description | |------|-------------| | vt_lookup_hash | Look up file hash (MD5/SHA1/SHA256) on VirusTotal | | vt_lookup_ip | Get IP address reputation and geolocation | | vt_lookup_domain | Get domain reputation and categorization | | vt_lookup_file | Calculate file hashes and look up on VirusTotal |

Network Forensics (PCAP)

| Tool | Description | |------|-------------| | pcap_get_stats | Get PCAP statistics - packet counts, protocols, top talkers | | pcap_get_conversations | Extract TCP/UDP conversations with byte counts | | pcap_get_dns | Extract DNS queries and responses | | pcap_get_http | Extract HTTP requests with URLs, methods, user-agents | | pcap_search | Search packet payloads for strings or regex patterns | | pcap_find_suspicious | Detect C2 indicators, beaconing, DNS tunneling |

API Monitor Capture Analysis (APMX)

| Tool | Description | |------|-------------| | apmx_parse | Parse .apmx64/.apmx86 capture - process info, modules, call counts | | apmx_get_calls | Extract API calls with filtering, pagination, and time range support | | apmx_get_call_details | Detailed records with parameter values, return values, timestamps | | apmx_detect_patterns | Detect attack patterns (injection, hollowing, credential dumping) with MITRE ATT&CK IDs | | apmx_correlate_handles | Track handle producer/consumer chains across API calls | | apmx_get_injection_info | Enriched injection chain extraction (target PID, shellcode size, technique) | | apmx_get_calls_around | Context window of calls around a specific record | | apmx_search_params | Search all records for a specific parameter value | | api_analyze_imports | Full PE import analysis with pattern detection and MITRE ATT&CK mapping | | api_detect_patterns | Detect attack patterns from PE import tables | | api_lookup | Look up Windows API signature (26,944 APIs with params, DLL, category) | | api_search_category | Browse APIs by category (e.g., "Process Injection", "File Management") |

Packer Detection (DiE)

| Tool | Description | |------|-------------| | die_analyze_file | Analyze file for packers, compilers, protectors, .NET | | die_scan_directory | Batch scan directory for packed executables | | die_get_packer_info | Get info about packer (difficulty, unpack tools) |

File System

| Tool | Description | |------|-------------| | disk_parse_mft | Parse $MFT with timestomping detection | | disk_parse_usn_journal | Parse $J for file operations and deleted files |

User Activity

| Tool | Description | |------|-------------| | browser_get_history | Parse Edge/Chrome/Firefox history and downloads | | user_parse_lnk_files | Parse Windows shortcuts for target paths | | user_parse_shellbags | Parse ShellBags for folder navigation history |

Event Logs

| Tool | Description | |------|-------------| | evtx_list_files | List EVTX files in a directory | | evtx_get_stats | Get event counts, time range, Event ID distribution | | evtx_search | Search with filters (time, Event ID, keywords) | | evtx_security_search | Pre-built security event searches (logon, process creation, etc.) | | evtx_explain_event_id | Get Event ID description |

Registry

| Tool | Description | |------|-------------| | registry_get_key | Get specific key and values | | registry_search | Search values by pattern | | registry_get_persistence | Get Run keys and services | | registry_get_users | Get user accounts from SAM | | registry_get_usb_history | Get USB device history | | registry_get_system_info | Get OS version, hostname, timezone | | registry_get_network | Get network configuration |

Utilities

| Tool | Description | |------|-------------| | ingest_parsed_csv | Import Eric Zimmerman CSV output (MFTECmd, PECmd, AmcacheParser, SrumECmd) | | forensics_list_important_events | List important Event IDs by channel | | forensics_list_registry_keys | List forensic registry keys by category |

Remote Collection

| Tool | Description | |------|-------------| | remote_collect_artifacts | Collect artifacts via WinRM (password or pass-the-hash) | | remote_get_system_info | Get remote system info |

Configuration

VirusTotal API Key

# Option 1: Environment variable
export VIRUSTOTAL_API_KEY="your-api-key-here"

# Option 2: Config file
mkdir -p ~/.config/winforensics-mcp
echo "your-api-key-here" > ~/.config/winforensics-mcp/vt_api_key

Get your free API key at virustotal.com. Free tier is rate-limited to 4 requests/minute; the client handles rate limiting and caches results for 24 hours.

Troubleshooting

DiE (Detect It Easy) not found

# Debian/Ubuntu
sudo apt install detect-it-easy

# Or download from https://github.com/horsicq/DIE-engine/releases

Remove MCP Server

claude mcp remove winforensics-mcp --scope user

License

Credits: Rohitab Batra (API Monitor), Neo23x0/signature-base (YARA rules), horsicq/DIE-engine (Detect It Easy)

MIT License | xtk | Built for the DFIR community. No Windows required >)

Quick Setup
Installation guide for this server

Install Package (if required)

uvx winforensics-mcp

Cursor configuration (mcp.json)

{ "mcpServers": { "x746b-winforensics-mcp": { "command": "uvx", "args": [ "winforensics-mcp" ] } } }
Author Servers
Other servers by x746b

Mac Forensics MCP

MCP server for macOS Digital Forensics and Incident Response (DFIR)

1