Crow Eye

Forensics for Everyone

Crow-Eye mission is to put the truth of what happened on a computer into the hands of every person — not just experts. Crow-Eye helps users understand what happened on their machine, even if they have no technical background.

By correlating forensic data and presenting it in a clear, human-friendly way, Crow-Eye empowers everyone to investigate their device’s activity.

Whether you’re a parent worried about what your teen downloaded, a senior who thinks they might have been scammed, or just someone wondering why their PC feels “off,” Crow-Eye will analyze your PC , understands the deep forensic traces Windows leaves behind, and explains them in plain, trustworthy language.

Soon you’ll simply ask Crow-Eye Assistant (we call it “Eye”):

• “Was anyone using my laptop while I was away last weekend?”
• “Which program has been secretly connecting to the internet?”

Eye answers instantly, shows you the proof, and never sends your data anywhere.

Faster, Smarter DFIR

• Advanced parsing of Windows artifacts
• Detection of evasion techniques
• Proof-of-execution and file activity tracing
• One-click proof-of-execution
• Raw artifact views + correlated views
• Plugin system for custom parsers, correlation rules, and workflow extensions

Crow-Eye lets investigators skip repetitive manual work, focus on complex reasoning, and achieve faster, more accurate results.

Crow-Eye for Business

Crow-Eye goes beyond single-machine analysis with a scalable multi-machine processing engine.

Businesses can:

• Parse and store artifacts from multiple machines
• Maintain historical forensic data (even after Windows deletes it)
• Access device activity anytime during an incident
• Reduce dependency on high-cost forensic solutions
• Gain continuous visibility without enterprise-level budgets

Crow-Eye delivers daily or weekly micro-forensics for small and medium businesses, giving them real security insight without heavy infrastructure. Small and medium businesses finally get the investigative power that only large corporations could afford before.

Crow-Eye Research

Crow-Eye is more than software — it’s an open research platform accelerating the entire field of Windows forensics.

The project focuses on:

• Publishing detailed documentation on internal artifact structures
• Sharing correlation logic and methodologies
• Enabling peer review, transparency, and academic collaboration

Live & Offline Modes

Analyze artifacts directly from the running system or imported from an offline image or backup directory.

SQLite-Driven Architecture

All artifact data is parsed into a normalized SQLite database for structured queries, filtering, and exporting.

Graphical User Interface

Intuitive GUI built with PyQt5 and Streamlit simplifies interaction and reduces reliance on command-line operations.

Export Options

Export parsed results in CSV and JSON formats for integration with other tools or reporting systems.

Search Engine

Built-in search functionality for querying and filtering parsed artifacts across the SQLite database.

Timeline Visualization

Interactive timeline views to visualize correlations, timestamps, and activity patterns from forensic artifacts.

Prefetch

Execution history, run count, timestamps

Registry

Auto-run, UserAssist, ShimCache, BAM, networks, time zone

Jump Lists & LNK

File access, paths, timestamps, metadata

Event Logs

System, Security, Application events

Amcache

App filename,Full path, install time,publisher, product/version,file size,volume introduction timestamp

ShimCache

File name, Full path, last-modified timestamp

ShellBags

Folder views, access history, timestamps

MRU & RecentDocs

Typed paths, Open/Save history, recent files

MFT Parser

File metadata, deleted files, timestamps

USN Journal

File changes (create/modify/delete)

Recycle Bin

Deleted file names, paths, deletion time

SRUM

App resource usage, network, energy, execution