Overview

Crow Eye is an open-source Windows forensic investigation tool designed to collect, analyze, and visualize various Windows artifacts. It features a modular architecture with specialized components for artifact collection, data processing, and visualization through a cyberpunk-themed GUI.

Key Features

  • Comprehensive Artifact Collection: Supports Prefetch, Registry, Event Logs, Amcache, Jump Lists, SRUM, MFT, USN Journal, Recycle Bin.
  • Timeline Visualization: Advanced timeline view with OpenGL-accelerated rendering.
  • Case Management: Organize investigations into cases with persistent configuration.
  • Modular Architecture: Easy to extend with new artifact parsers.

Project Structure

The project is organized into several key directories:

  • Artifacts_Collectors/: Specialized parsers for Windows artifacts.
  • data/: Data management components and database loaders.
  • ui/: User interface components and dialogs.
  • utils/: Utility functions for file handling, errors, etc.
  • timeline/: The timeline visualization subsystem.
  • correlation_engine/: Complete correlation engine system for forensic artifact analysis.
  • config/: JSON configuration files.
  • docs/: Technical documentation and contribution guides.
Crow-Eye/
Artifacts_Collectors/ Specialized parsers
A_CJL_LNK_Claw.py Jump Lists & LNK
JLParser.py
Prefetch_claw.py Prefetch parser
Regclaw.py Live Registry
WinLog_Claw.py Event Logs
amcacheparser.py
offline_RegClaw.py Offline Registry
offlineACJL.py
shimcash_claw.py
SRUM_Claw.py
recyclebin_claw.py
registry_binary_parser.py
partition_analyzer.py Partition analysis
windows_partition_detector.py Partition detection
MFT and USN journal/
MFT_Claw.py
USN_Claw.py
mft_usn_correlator.py MFT/USN correlation
data/ Data management
base_loader.py
registry_loader.py
mft_loader.py
usn_loader.py
correlated_loader.py
database_manager.py
database_initializer.py
database_discovery_manager.py
search_engine.py
unified_search_engine.py
search_history_manager.py
timestamp_parser.py
timestamp_detector.py
index_manager.py
ui/ User Interface
Loading_dialog.py
component_factory.py
search_filter_dialog.py
case_dialog.py
row_detail_dialog.py
row_detail_dialog_handler.py
pagination_widget.py
pagination_helper.py
pagination_config.py
virtual_table_widget.py
mft_virtual_table_integration.py
usn_virtual_table_integration.py
correlated_virtual_table_integration.py
database_search_dialog.py
database_search_integration.py
search_integration.py
search_widget.py
search_utils.py
settings_dialog.py
data_settings_dialog.py
startup_menu.py
partition_window.py
progress_indicator.py
utils/ Utilities
error_handler.py
file_utils.py
search_utils.py
time_utils.py
memory_monitor.py
timeline/ Visualization
timeline_dialog.py
timeline_canvas.py
timeline_config_dialog.py
filter_bar.py
event_details_panel.py
data/
rendering/
correlation_engine/ Forensic Correlation System
engine/ Core correlation engines
correlation_engine.py
identity_correlation_engine.py
time_based_engine.py
engine_selector.py
feather_loader.py
weighted_scoring.py
feather/ Data normalization
feather_builder.py
database.py
transformer.py
ui/
wings/ Correlation rules
core/
wing_model.py
artifact_detector.py
wing_validator.py
ui/
config/ Configuration management
config_manager.py
semantic_mapping.py
pipeline_config.py
default_mappings/
pipeline/ Workflow orchestration
pipeline_executor.py
pipeline_loader.py
feather_auto_registration.py
gui/ User interface
main_window.py
pipeline_management_tab.py
correlation_results_view.py
identity_results_view.py
integration/ Crow Eye bridge
crow_eye_integration.py
auto_feather_generator.py
feather_mappings.py
default_wings/
config/
docs/ Documentation
CORRELATION_ENGINE_OVERVIEW.md Engine documentation
CONTRIBUTING.md Contribution guide
GUI Resources/
Crow Eye.py Main Entry Point
styles.py
GUI_resources.py

Architecture Overview

Crow Eye follows a modular architecture where the main application orchestrates interaction between the UI, artifact collectors, and data management layer.

System Layers

  • UI Layer: PyQt5-based interface with custom styling.
  • Collector Layer: Independent modules for parsing specific artifacts.
  • Data Layer: SQLite-based storage with optimized loading and querying.
👁️
Main Application
Crow Eye.py

UI Components

Styles
Component Factory
Loading Dialog

Artifact Collectors

Amcache
Prefetch
Registry
Event Logs
Jump Lists
SRUM
MFT & USN
Recycle Bin

Data Management

DB Manager
Search Engine
Loaders
SQLite DB

Timeline System

Canvas (OpenGL)
Data Manager
Renderer

Core Components

1. Main Application (Crow Eye.py)

The main application serves as the entry point and orchestrator for the entire system.

Responsibilities

  • Environment Setup: Creates and manages a virtual environment with required dependencies
  • UI Initialization: Sets up the PyQt5-based user interface with cyberpunk styling
  • Artifact Collection Coordination: Invokes appropriate artifact collectors
  • Data Visualization: Displays collected artifacts in tables and UI components
  • Case Management: Handles case creation, loading, and configuration

Key Functions

  • setup_virtual_environment(): Creates Python virtual environment
  • check_and_install_requirements(): Ensures all packages are installed
  • validate_dependencies(): Validates dependency functionality
  • is_admin(): Checks for administrator privileges
  • load_registry_data_from_db(): Master function for loading registry data

2. Styles System (styles.py)

Defines the cyberpunk-themed visual identity of Crow Eye with neon accents and dark backgrounds.

Features

  • Custom color palette with neon cyan (#00FFFF) accents
  • Dark theme optimized for long forensic sessions
  • Consistent styling across all UI components
  • Custom table styles with alternating row colors

3. Component Factory (component_factory.py)

Factory pattern for creating consistent UI elements throughout the application.

Created Components

  • Styled tables with custom headers
  • Search dialogs with filters
  • Progress indicators
  • Custom buttons and controls

Artifact Collectors

Each artifact collector is a specialized module for extracting and parsing a specific type of Windows forensic artifact.

Common Collector Pattern

All collectors follow this pattern:

  1. Locate: Find artifact source (files, registry keys, etc.)
  2. Parse: Extract binary data into structured information
  3. Store: Save results in SQLite databases
  4. Export: Generate JSON output for interoperability

1. Prefetch Parser (Prefetch_claw.py)

Parses Windows Prefetch files (.pf) to extract execution history.

Forensic Value

  • Program execution history
  • Last execution times (up to 8 timestamps)
  • Run count
  • Files and directories accessed by the program

Supported Versions

  • Windows XP/2003 (Version 17)
  • Windows Vista/7 (Version 23)
  • Windows 8/8.1/2012 (Version 26)
  • Windows 10/11 (Versions 30-31)

2. Registry Parser (Regclaw.py)

Extracts forensic artifacts from live Windows Registry hives.

Artifacts Collected

  • USB Devices & Storage
  • UserAssist (ROT-13 decoded)
  • Shellbags (folder access)
  • Recent Documents
  • Network Lists
  • Run/RunOnce keys
  • Installed Programs
  • Services
  • BAM/DAM (Background Activity Moderator)

3. Offline Registry Parser (offline_RegClaw.py)

Parses offline registry hives without requiring live system access.

Key Features

  • Hive Support: SYSTEM, SOFTWARE, SAM, SECURITY, NTUSER.DAT
  • Path Independence: No reliance on current system's registry API
  • Cross-Analysis: Analyze hives from different Windows versions

4. Amcache Parser (amcacheparser.py)

Parses Amcache.hve to identify application execution history.

Database Tables

  • InventoryApplication
  • InventoryApplicationFile
  • InventoryDriverBinary
  • DeviceCensus

5. Event Log Parser (WinLog_Claw.py)

Parses Windows Event Log files (.evtx).

Forensic Value

  • User logon/logoff events
  • Process creation (Event ID 4688)
  • Service installations
  • System events

6. Jump Lists & LNK Parser (A_CJL_LNK_Claw.py)

Parses Jump Lists and LNK (shortcut) files.

Forensic Value

  • Recently accessed files
  • Application usage patterns
  • File paths and network shares
  • Timestamps of file access

7. SRUM Parser (SRUM_Claw.py)

Parses System Resource Usage Monitor database.

Forensic Value

  • Application runtime and resource usage
  • Network connectivity data
  • Energy usage statistics

8. MFT Parser (MFT_Claw.py)

Parses the Master File Table from NTFS file systems.

Forensic Value

  • Complete file system timeline
  • File creation, modification, access times
  • Deleted file recovery
  • File attributes and permissions

9. USN Journal Parser (USN_Claw.py)

Parses the Update Sequence Number Journal.

Forensic Value

  • File system change tracking
  • File creation, deletion, renaming events
  • Detailed change reasons

10. Recycle Bin Parser (recyclebin_claw.py)

Parses Recycle Bin artifacts.

Forensic Value

  • Deleted file metadata
  • Original file paths
  • Deletion timestamps
  • File sizes

Timeline Module

Advanced timeline visualization system with OpenGL-accelerated rendering for analyzing temporal relationships between artifacts.

Architecture

The timeline module is organized into three main layers:

  • Data Layer: Manages timeline data access and querying
  • Rendering Layer: Handles visual representation with OpenGL
  • UI Layer: Provides user interaction and controls

Key Components

  • timeline_dialog.py: Main timeline dialog window
  • timeline_canvas.py: QGraphicsView-based canvas
  • timeline_config_dialog.py: Configuration and filtering
  • event_renderer.py: Event marker rendering
  • timeline_data_manager.py: Data access layer
  • zoom_manager.py: Zoom level management

Features

  • OpenGL-accelerated rendering for smooth performance
  • Multiple zoom levels (day, week, month, year)
  • Event filtering by artifact type
  • Power event markers
  • Event correlation engine
  • Progressive data loading

Data Management Layer

The data layer handles all database operations, search functionality, and data loading.

Database Architecture

Crow Eye uses SQLite databases for storing parsed artifacts:

  • Case Databases: One database per case
  • Artifact Tables: Separate tables for each artifact type
  • Indexes: Optimized for timestamp and text searches

Key Components

  • database_manager.py: Connection and transaction management
  • base_loader.py: Base class for data loaders
  • registry_loader.py: Registry-specific data loading
  • mft_loader.py: MFT data loading with virtual tables
  • usn_loader.py: USN Journal data loading
  • search_engine.py: Full-text search across artifacts
  • index_manager.py: Database index optimization

Search Capabilities

  • Full-text search across all artifacts
  • Timestamp range filtering
  • Regular expression support
  • Multi-field queries
  • Search history tracking

UI Components

The UI layer provides a cyberpunk-themed interface for interacting with forensic data.

Component Factory Pattern

The component_factory.py module creates consistent UI elements:

  • Styled tables with custom headers
  • Search and filter dialogs
  • Progress indicators
  • Custom buttons and controls

Key Dialogs

  • case_dialog.py: Case creation and management
  • search_filter_dialog.py: Advanced search interface
  • row_detail_dialog.py: Detailed artifact view
  • Loading_dialog.py: Custom loading animations

Virtual Tables

For large datasets (MFT, USN), Crow Eye uses virtual tables:

  • On-demand data loading
  • Smooth scrolling for millions of records
  • Memory-efficient rendering
  • Pagination controls