Vision

Forensics for Everyone

Crow-Eye mission is to put the truth of what happened on a computer into the hands of every person — not just experts. Crow-Eye helps users understand what happened on their machine, even if they have no technical background.

By correlating forensic data and presenting it in a clear, human-friendly way, Crow-Eye empowers everyone to investigate their device’s activity.

Whether you’re a parent worried about what your teen downloaded, a senior who thinks they might have been scammed, or just someone wondering why their PC feels “off,” Crow-Eye will analyze your PC , understands the deep forensic traces Windows leaves behind, and explains them in plain, trustworthy language.

Soon you’ll simply ask Crow-Eye Assistant (we call it “Eye”):

  • “Was anyone using my laptop while I was away last weekend?”
  • “Which program has been secretly connecting to the internet?”

Eye answers instantly, shows you the proof, and never sends your data anywhere.

Faster, Smarter DFIR

  • Advanced parsing of Windows artifacts
  • Detection of evasion techniques
  • Proof-of-execution and file activity tracing
  • One-click proof-of-execution
  • Raw artifact views + correlated views
  • Plugin system for custom parsers, correlation rules, and workflow extensions

Crow-Eye lets investigators skip repetitive manual work, focus on complex reasoning, and achieve faster, more accurate results.

Crow-Eye for Business

Crow-Eye goes beyond single-machine analysis with a scalable multi-machine processing engine.

Businesses can:

  • Parse and store artifacts from multiple machines
  • Maintain historical forensic data (even after Windows deletes it)
  • Access device activity anytime during an incident
  • Reduce dependency on high-cost forensic solutions
  • Gain continuous visibility without enterprise-level budgets

Crow-Eye delivers daily or weekly micro-forensics for small and medium businesses, giving them real security insight without heavy infrastructure. Small and medium businesses finally get the investigative power that only large corporations could afford before.

Crow-Eye Research

Crow-Eye is more than software — it’s an open research platform accelerating the entire field of Windows forensics.

The project focuses on:

  • Publishing detailed documentation on internal artifact structures
  • Sharing correlation logic and methodologies
  • Enabling peer review, transparency, and academic collaboration

Key Features

Live & Offline Modes

Analyze artifacts directly from the running system or imported from an offline image or backup directory.

SQLite-Driven Architecture

All artifact data is parsed into a normalized SQLite database for structured queries, filtering, and exporting.

Graphical User Interface

Intuitive GUI built with PyQt5 and Streamlit simplifies interaction and reduces reliance on command-line operations.

Export Options

Export parsed results in CSV and JSON formats for integration with other tools or reporting systems.

Search Engine

Built-in search functionality for querying and filtering parsed artifacts across the SQLite database.

Timeline Visualization

Interactive timeline views to visualize correlations, timestamps, and activity patterns from forensic artifacts.

In Future

Upcoming disk image (E01/RAW) parsing, multi-host investigation support, correlation heuristics, evasion detection modules, timeline visualization, and a community plugin ecosystem.

Supported Artifacts

Prefetch

Execution history, run count, timestamps

Registry

Auto-run, UserAssist, ShimCache, BAM, networks, time zone

Jump Lists & LNK

File access, paths, timestamps, metadata

Event Logs

System, Security, Application events

Amcache

App filename,Full path, install time,publisher, product/version,file size,volume introduction timestamp

ShimCache

File name, Full path, last-modified timestamp

ShellBags

Folder views, access history, timestamps

MRU & RecentDocs

Typed paths, Open/Save history, recent files

MFT Parser

File metadata, deleted files, timestamps

USN Journal

File changes (create/modify/delete)

Recycle Bin

Deleted file names, paths, deletion time

SRUM

App resource usage, network, energy, execution

Future Developments

Enhancing Core Capabilities:
  • Advanced Correlation Engine:
    • Customizable Wings Configuration: We're refining the 'Wings Config' to offer unparalleled flexibility. Investigators will be able to define highly granular correlation rules, tailoring the engine's behavior to specific case requirements and threat landscapes. This means more precise detection of anomalous activities and stronger evidence linking.
    • Enriched Semantic Mapping for IOCs: Our focus is on significantly improving semantic mapping. This enhancement will empower the engine to not only identify, but intelligently integrate Indicators of Compromise (IOCs) from various threat intelligence sources. The goal is to automatically highlight and mark malicious activities, significantly reducing manual analysis time and enhancing threat detection capabilities.
  • Intelligent Feather Section:
    • Dynamic Feather Creation: We are evolving the Feather Creation process to be more intuitive and adaptable. This includes developing mechanisms that allow feathers to dynamically adjust to diverse input data formats and intelligently generate metadata based on the specific characteristics of the incoming forensic artifacts. This will streamline the ingestion of new data sources and improve the accuracy of subsequent correlation.
  • Optimized Parsers:
    • Minimizing Live System Impact: Our ongoing efforts include enhancing existing parsers to operate with an even lighter footprint on live systems. By optimizing data extraction techniques, we aim to reduce system resource consumption and minimize forensic interference, ensuring that crucial evidence remains untampered and system stability is maintained during analysis.
  • Performance at Scale:
    • Big Data Forensics: We are actively developing robust methodologies and architectural improvements to efficiently analyze massive datasets. Our goal is to enable Crow-Eye to seamlessly process and correlate forensic records exceeding 1 million entries, providing rapid insights even in large-scale investigations without compromising performance or accuracy.
Innovative New Features:
  • Comprehensive Offline Parser:
    • Expanded Image Support: This feature will introduce extensive support for parsing various forensic image formats, including ISO, E01, and Raw disk images. This significantly broadens Crow-Eye's capabilities for in-depth post-mortem analysis of system snapshots, offering deeper insights into historical system states.
  • Multi-Computer Parsing:
    • Scalable Forensic Analysis: Extending Crow-Eye’s capabilities to efficiently parse and correlate artifacts from multiple target systems simultaneously. This feature is crucial for enterprise-level investigations, allowing for a holistic view across an entire network of machines and enabling rapid identification of widespread threats or compromised systems.
  • Integrated AI Forensics:
    • CLI AI Agents Integration: We are integrating cutting-edge AI capabilities directly into Crow-Eye via Command Line Interface (CLI) AI agents. These agents will leverage machine learning for advanced pattern recognition, anomaly detection, and predictive analytics within forensic data.
    • Configurable Artifact-Specific AI: This integration includes developing comprehensive configuration files that allow investigators to precisely tailor how AI agents interact with and analyze specific forensic artifacts. This ensures the AI's application is contextually relevant and highly effective for identifying nuanced malicious activities.

Crow-Eye CLI Engines

AmCache Parser

Extracts metadata from Amcache.hve, including application details, execution history, and file associations for forensic investigations.

Prefetch Parser

Analyzes Windows Prefetch files to uncover execution evidence, including run counts, timestamps, and resource usage, supporting Windows XP to 11.

ShimCache Parser

Parses ShimCache data to reveal application compatibility details, execution timestamps, and system interaction patterns for threat hunting.

Development Roadmap

The development of Crow Eye is structured into three progressive phases to ensure a stable, scalable, and research-aligned forensic engine.

  • 🔹 Phase 1 – Core Parsers & Timeline GUI
    Implementation of SRUM, Shellbags, and enhanced Registry parsers (shellbags, BAM, Dam, Amcache, Shimcache, Network interfaces, Auto Runs and more). Develop the SQLite backend, design a PyQt5-based timeline GUI, and improve export functionality. Establish the core infrastructure for data collection and visualization.
  • 🔹 Phase 2 – Correlation Engine, Evasion Detection & Plugin System (Current Phase)
    Build a heuristic correlation engine to automatically link evidence across artifacts. Add evasion detection logic (e.g., timestamp inconsistencies, YARA scanning). Develop a plugin system for extensibility and enhance the GUI with filtering, timeline controls, and export options.
  • 🔹 Phase 3 – Multi-System Support & Centralized Platform
    Expand the engine into a scalable forensic platform. Implement disk image parsing (E01/RAW), a REST API, and multi-system timeline correlation. Add centralized dashboards, SDK documentation, community tools, and cross-host investigation capabilities.

If you're interested in supporting or collaborating on any of these stages, please get in touch.

About the Developer

Crow Eye is developed and maintained by Ghassan Elsman as both a practical forensic engine and a research proof of concept. The project is open to collaboration and contributions. For inquiries or support, feel free to reach out:

📧 [email protected] | 🔗 GitHub Repository | 💼 LinkedIn Profile

⬇ Download Crow Eye