WinForensics MCP

---
name: winforensics-mcp
category: digital-forensics
cost: free
api_key_required: no
repo: https://github.com/x746b/winforensics-mcp
paired_skills: ["browser-artifact-analysis", "windows-registry-forensics", "file-carving-and-recovery", "usb-and-removable-media-forensics"]
capabilities: ["windows-forensics", "registry-analysis", "dfir"]
---

# WinForensics MCP — Windows DFIR artifacts from Linux/Kali (registry, MFT, Prefetch, USB)

Wraps Kali Linux forensic tools (regripper, MFT parsing, Prefetch analysis, USB enumeration) for offline analysis of Windows forensic images.

## Install

```
pip install winforensics-mcp
```

**Requires Kali Linux** (or a Linux system with regripper and the supporting forensic tools installed). Not natively supported on Windows.

## Configuration

```json
{
  "mcpServers": {
    "winforensics": {
      "command": "winforensics-mcp"
    }
  }
}
```

## What it adds

Claude answers natural-language forensic questions against a mounted Windows forensic image — "what executables ran on this machine in the last 7 days" (Prefetch), "what USB devices were ever connected" (registry), "what files were recently accessed" (MFT), "what was the last user login" (event logs). Converts manual regripper workflows into investigative Q&A.

## Pairs with skills

- 076 `browser-artifact-analysis`
- 078 `windows-registry-forensics`
- 081 `file-carving-and-recovery`
- 090 `usb-and-removable-media-forensics`

## Cost

Free. Requires Kali Linux or equivalent. The underlying forensic tools (regripper, etc.) are all open source.