winforensics

WinForensics MCP Server provides a pure Python-based Windows DFIR toolkit that runs entirely on Linux. It exposes a broad set of capabilities for analyzing Windows artifacts such as EVTX logs, Registry hives, PE and execution artifacts, file system artifacts, user activity traces, network forensics, and API Monitor capture analysis. You can orchestrate analysis with high-level tools like investigate_execution, investigate_user_activity, hunt_ioc, and build_timeline to correlate artifacts across sources. The server is designed to parse Windows artifacts without Windows tool dependencies, leveraging Python libraries to process EVTX, SAM/NTUSER.DAT, MFT, USN, SRUM data, and more. This makes it suitable for Linux-based DFIR workflows and rapid triage of Windows evidence.

To use it, install the MCP server via uv (the Python package manager) and start the server module as shown in the documentation. You can then invoke the provided orchestrators and utilities through the Claude CLI integration or your own tooling, enabling structured queries like Was this binary executed?, IOC hunting across sources, and building unified timelines. The tooling supports integrating YARA scans, MITRE ATT&CK mappings, and cross-source correlation for robust investigations.

Prerequisites:

• A Linux/macOS system with Python 3.10+ support
• uv (a fast Python package manager) installed

Install from PyPI:

# Install uv if not present
# Follow the recommended installation script from uv
curl -LsSf https://astral.sh/uv/install.sh | sh
source ~/.bashrc

# Verify Python version
python3 --version

Install from PyPI (recommended):

uv tool install winforensics-mcp

Install from source (optional):

git clone https://github.com/x746b/winforensics-mcp.git
cd winforensics-mcp

# Install with uv (recommended)
uv sync

# Or install with all optional extras
uv venv && source .venv/bin/activate
uv pip install -e ".[all]"

Verify installation:

uv run python -m winforensics_mcp.server
# Should start without errors (Ctrl+C to exit)

Additional usage notes:

• The server can be added to Claude CLI for easy access:

claude mcp add winforensics-mcp --scope user -- uv run winforensics-mcp

Tips and caveats:

• Ensure Python 3.10+ and a working uv setup before installation.
• If you install from source, you may want to enable optional extras for full feature coverage (e.g., YARA rules, additional parsers).
• When integrating with Claude CLI, verify the path mappings (case paths and evidence directory) to ensure correct artifact parsing.
• The MCP supports cross-artifact correlation (e.g., linking Prefetch/Amcache with SRUM) to answer high-level questions like “Was this binary executed?”
• For large datasets, look into building a unified timeline with build_timeline to streamline investigations.
• If you encounter environment-related issues, check that the virtual environment is activated (uv venv) and dependencies are installed with the -e option if using source mode.