Overview

Crow Eye is an open-source Windows forensic investigation engine designed to collect, analyze, and visualize various Windows artifacts. It features a modular architecture with specialized components for artifact collection, data processing, and visualization through a cyberpunk-themed GUI.

Key Features

  • Comprehensive Artifact Collection: Supports Prefetch, Registry, Event Logs, Amcache, Jump Lists, SRUM, MFT, USN Journal, Recycle Bin.
  • Timeline Visualization: Advanced timeline view with OpenGL-accelerated rendering.
  • Case Management: Organize investigations into cases with persistent configuration.
  • Modular Architecture: Easy to extend with new artifact parsers.

Project Structure

The project is organized into several key directories:

  • Artifacts_Collectors/: Specialized parsers for Windows artifacts (Prefetch, MFT, Registry, etc.).
  • eye/: The Eye AI Forensic Agent subsystem (Bridge, Services, UI).
  • correlation_engine/: Advanced forensic correlation and identity engine.
  • dynamic_mapping/: Intelligence layer for dynamic linking and enrichment.
  • data/: Data management components and unified search engines.
  • ui/: Main PyQt5 user interface components.
  • timeline/: OpenGL and React-based timeline visualization.
  • utils/: Core utilities, concurrency management, and dependency installers.
  • configs/: System configurations and the Forensic Knowledge Base (RAG).
  • CONTRIBUTING.md: Contribution guidelines.
  • Crow Eye.py: Main application entry point.
  • GUI_resources.py: UI assets and resources.
  • LICENSE: Project license.
  • README.md: Project overview.
  • styles.py: Custom UI styling engine.
Crow-Eye/
Artifacts_Collectors/
Forensics_Image_parsing/
strategies/
__init__.py
e01_access_strategy.py
iso_access_strategy.py
raw_access_strategy.py
vhdx_access_strategy.py
vmdk_access_strategy.py
README.md
__init__.py
config.json
data_models.py
error_handler.py
file_system_accessor.py
image_collection_wrapper.py
image_extractor.py
image_parser.py
image_parsing_dialog.py
partition_detector.py
requirements.txt
MFT and USN journal/
MFT_Claw.py
USN_Claw.py
__init__.py
mft_usn_correlator.py
Offline_Importer/
resources/
.gitkeep
icons.py
styling.py
__init__.py
artifact_collector.py
artifact_scan_index.py
artifact_type_detector.py
artifact_validator.py
collection_coordinator.py
launch_gui.py
offline_importer_gui.py
parse_artifacts_dialog.py
parser_invoker.py
report_generator.py
crow_claw/
core/
__init__.py
access_result.py
access_strategy.py
artifacts.py
collector.py
error_classifier.py
file_accessor.py
lock_detection.py
manifest.py
raw_disk_access_strategy.py
shadow_copy.py
shadow_copy_manager.py
standard_copy_strategy.py
status_reporter.py
validator.py
vss_access_strategy.py
vss_diagnostics.py
vss_error_reporter.py
vss_health_checker.py
windows_version_detector.py
gui/
__init__.py
main_window.py
Crow_claw.py
__init__.py
setup.py
offline_parsers/
README_OFFLINE_CORRELATION.md
README_OFFLINE_REGCLAW.md
__init__.py
offline_ACJLClaw.py
offline_AmCacheClaw.py
offline_MFTClaw.py
offline_MFT_USN_Correlator.py
offline_PrefetchClaw.py
offline_RecycleBinClaw.py
offline_RegClaw.py
offline_SRUM_Claw.py
offline_ShimCacheClaw.py
offline_USNClaw.py
offline_WinLog_Claw.py
A_CJL_LNK_Claw.py
Known_AppIDs.csv
Known_GUIDs.csv
Prefetch_claw.py
Regclaw.py
SRUM_Claw.py
WinLog_Claw.py
__init__.py
amcacheparser.py
partition_analyzer.py
recyclebin_claw.py
registry_binary_parser.py
shimcash_claw.py
windows_partition_detector.py
GUI Resources/
icons/
check.svg
correlation-icon.svg
correlation_icon_v4.html
correlation_icon_v4.svg
dynamic_linking.svg
export.svg
filter-icon.png
menu-icon.svg
new-case-icon.svg
open-case-icon.svg
search-icon.svg
settings-icon.svg
visualization.svg
CrowEye.ico
CrowEye.jpg
Resources_rc.qrc
gray color image.jpg
hamburger menu.png
loading.gif
main-menu.png
the Eye AI agent transparent.png
config/
standard_fields/
event_identifiers.json
file_paths.json
network_identifiers.json
process_identifiers.json
system_identifiers.json
timestamps.json
user_identifiers.json
__init__.py
case_1.5.2026 2.json
case_1.5.2026.json
case_3.json
case_4.json
case_5.json
case_6.5.2026.json
case_6.json
case_7.5.2026.json
case_7.json
case_8.json
case_history_manager.py
configuration_manager.py
data_models.py
last_case.json
configs/
knowledge_base/
Global_schema_databse_Refrence.md
amcache_knowledge.md
eventlog_knowledge.md
evidence_intelligence.md
forensic_methodology.md
global_schema_reference.md
jumplist_knowledge.md
mft_knowledge.md
parser_mappings.json
prefetch_knowledge.md
recyclebin_knowledge.md
registry_knowledge.md
remote_access_knowledge.md
shimcache_knowledge.md
srum_knowledge.md
usn_knowledge.md
README.md
context_window_presets.json
eye_config.json
eye_config_example_full.json
eye_config_schema.json
llm_config.json
semantic_mapping_config.json
semantic_mapping_rules_default.json
semantic_rules_default.json
semantic_rules_example.json
semantic_rules_schema.json
correlation_engine/
config/
default_mappings/
browser_history.yaml
event_logs.yaml
file_system.yaml
prefetch.yaml
registry.yaml
__init__.py
artifact_type_registry.py
artifact_types.json
case_configuration_file_manager.py
case_configuration_manager.py
case_specific_configuration_manager.py
centralized_score_config.py
config_manager.py
configuration_change_handler.py
configuration_conflict_resolver.py
configuration_migration.py
feather_config.py
identifier_extraction_config.py
integrated_configuration_manager.py
pipeline_config.py
pipeline_config_manager.py
score_config_migration_tool.py
score_configuration_manager.py
semantic_config.py
semantic_mapping.py
semantic_mapping_discovery.py
semantic_rule_validator.py
session_state.py
wing_config.py
database/
__init__.py
connection_manager.py
docs/
config/
ARTIFACT_TYPE_REGISTRY.md
CONFIGURATION_RELOAD.md
CONFIG_DOCUMENTATION.md
WEIGHT_PRECEDENCE.md
docs/
config/
CONFIG_DOCUMENTATION.md
engine/
ENGINE_DOCUMENTATION.md
feather/
FEATHER_DOCUMENTATION.md
gui/
GUI_DOCUMENTATION.md
integration/
INTEGRATION_DOCUMENTATION.md
pipeline/
PIPELINE_DOCUMENTATION.md
wings/
WINGS_DOCUMENTATION.md
CORRELATION_ENGINE_OVERVIEW.md
FEATHER_METADATA_OPTIONAL.md
PIPELINE_CONFIG_MANAGER_README.md
engine/
ENGINE_DOCUMENTATION.md
TIME_WINDOW_SCANNING_ENGINE.md
feather/
FEATHER_DOCUMENTATION.md
gui/
GUI_DOCUMENTATION.md
integration/
INTEGRATION_DOCUMENTATION.md
INTEGRATION_INTERFACES.md
pipeline/
PIPELINE_DOCUMENTATION.md
semantic_mapping/
SEMANTIC_MAPPING_GUIDE.md
wings/
WINGS_DOCUMENTATION.md
ARCHITECTURE.md
CONTRIBUTING.md
CORRELATION_ENGINE_OVERVIEW.md
FEATHER_METADATA_OPTIONAL.md
PIPELINE_CONFIG_MANAGER_README.md
README.md
STRUCTURAL_FIXES_SUMMARY.md
WING_FEATHER_GUIDE.md
engine/
ui/
__init__.py
IDENTIFIER_EXTRACTION_README.md
__init__.py
base_engine.py
cancellation_support.py
correlation_engine.py
correlation_result.py
correlation_statistics.py
data_structures.py
database_error_handler.py
database_persistence.py
engine_selector.py
enhanced_feather_loader.py
error_handling_coordinator.py
feather_loader.py
identifier_correlation_engine.py
identifier_extraction_pipeline.py
identity_based_engine_adapter.py
identity_correlation_engine.py
identity_extractor.py
identity_validator.py
memory_manager.py
parallel_window_processor.py
performance_analysis.py
performance_benchmark.py
performance_monitor.py
progress_tracking.py
query_builder.py
query_interface.py
results_formatter.py
semantic_matches_evaluator.py
semantic_matches_evaluator_enhanced.py
semantic_rule_evaluator.py
streaming_manager.py
time_based_engine.py
time_estimation.py
time_window_config.py
timestamp_parser.py
two_phase_correlation.py
weighted_scoring.py
wing_config_adapter.py
feather/
ui/
__init__.py
csv_tab.py
data_viewer.py
database_tab.py
json_tab.py
main_window.py
progress_widget.py
styles.qss
__init__.py
database.py
feather_builder.py
transformer.py
gui/
CORRELATION_VIEWERS_DOCUMENTATION.md
README.md
__init__.py
__main__.py
anchor_detail_dialog.py
case_specific_configuration_dialog.py
comparative_analysis_widget.py
component_detail.py
config_library.py
correlation_results_view.py
crow_eye_styles.qss
database_results_loader.py
execution_control.py
hierarchical_results_view.py
identifier_extraction_config_panel.py
identity_detail_dialog.py
identity_results_view.py
main_window.py
match_detail_dialog.py
performance_utils.py
pipeline_builder.py
pipeline_management_tab.py
pipeline_selection_dialog.py
pipeline_selector_widget.py
progress_display_widget.py
results_exporter.py
results_tab_widget.py
results_viewer.py
scoring_breakdown_widget.py
semantic_filter_panel.py
semantic_info_display_widget.py
semantic_mapping_editor_dialog.py
semantic_mapping_viewer.py
settings_dialog.py
time_based_results_view.py
time_search_widget.py
timebased_results_viewer.py
timeline_widget.py
tooltips_help.py
ui_styling.py
wing_selection_dialog.py
identity_semantic_phase/
CONFIGURATION.md
__init__.py
identity_aggregator.py
identity_level_semantic_processor.py
identity_registry.py
identity_semantic_controller.py
semantic_data_propagator.py
semantic_mapping_controller.py
sql_semantic_mapper.py
integration/
default_wings/
Execution_Proof_Correlation.json
README.md
User_Activity_Correlation.json
__init__.py
auto_feather_generator.py
case_initializer.py
case_specific_configuration_integration.py
correlation_integration.py
crow_eye_integration.py
default_pipeline_creator.py
default_wings_loader.py
error_handling.py
feather_config_generator.py
feather_mappings.py
integration_diagnostics.py
integration_error_handler.py
integration_logging.py
integration_monitor.py
interfaces.py
progress_tracking_integration.py
semantic_mapping_integration.py
terminal_progress_logger.py
weighted_scoring_integration.py
memory/
__init__.py
memory_manager.py
optimization/
__init__.py
optimization_components.py
performance_config.py
progress_tracking_optimizer.py
semantic_mapping_optimizer.py
weighted_scoring_optimizer.py
pipeline/
__init__.py
database_connection_manager.py
discovery_service.py
error_handler.py
feather_auto_registration.py
path_resolver.py
pipeline_executor.py
pipeline_loader.py
services/
case_switching_service.py
wings/
core/
__init__.py
artifact_detector.py
wing_model.py
wing_validator.py
ui/
__init__.py
anchor_priority_widget.py
feather_widget.py
json_viewer.py
main_window.py
semantic_mapping_dialog.py
wings_styles.qss
__init__.py
ARCHITECTURE.md
CONTRIBUTING.md
__init__.py
data/
__init__.py
base_loader.py
correlated_loader.py
database_discovery_manager.py
database_initializer.py
database_manager.py
index_manager.py
mft_loader.py
registry_loader.py
search_engine.py
search_history_manager.py
timestamp_detector.py
timestamp_parser.py
unified_search_engine.py
usn_loader.py
dynamic_mapping/
core/
__init__.py
base.py
database.py
intelligence_engine.py
enrichment/
__init__.py
enrichment_mixin.py
gui/
__init__.py
dynamic_linking_window.py
io/
__init__.py
ioc_parser.py
rules/
__init__.py
base.py
custom_rules.py
default_rules.py
__init__.py
eye/
backends/
cloud_api/
__init__.py
anthropic_backend.py
gemini_backend.py
openai_backend.py
local_cli/
__init__.py
cli_profiles.py
generic_cli_backend.py
local_server/
__init__.py
lmstudio_backend.py
ollama_backend.py
__init__.py
base.py
brain/
b0eef3d2-ee70-4658-87e6-cd36645c1e33/
bridge/
__init__.py
eye_bridge.py
cli_agents/
cli_profiles.py
generic_cli_backend.py
docs/
ARCHITECTURE_VERIFICATION.md
DIAGRAM_QUICK_REFERENCE.md
DOCUMENTATION_STRUCTURE.md
MIGRATION_GUIDE.md
colorblind_simulation_guide.md
eye_architecture.md
eye_enhancements.md
eye_enhancements_roadmap.md
eye_testing_architecture.md
eye_tools_reference.md
gradient_rendering_pdf.md
temp_part1.txt
models/
__init__.py
message_metadata.py
report_blocks.py
services/
PDF_EXPORT_IMPLEMENTATION.md
__init__.py
case_context_manager.py
case_directory_manager.py
chart_renderer.py
color_manager.py
config_manager.py
context_manager.py
context_window_config_manager.py
correlation_service.py
credential_manager.py
database_service.py
error_handler.py
evidence_detector.py
forensic_handlers.py
heatmap_renderer.py
history_manager.py
intent_engine.py
internet_search_service.py
model_router.py
pdf_exporter.py
query_processor.py
rag_service.py
report_engine.py
report_handlers.py
report_parser.py
search_service.py
svg_chart_exporter.py
template_manager.py
threat_intel_service.py
timeline_renderer.py
timestamp_service.py
token_counter.py
truncation_auditor.py
ui/
react/
public/
eye-logo.png
favicon.svg
icons.svg
src/
assets/
eye_icon.png
hero.png
react.svg
vite.svg
test/
setup.ts
ActionChips.css
ActionChips.tsx
App.css
App.tsx
BRIDGE_INTEGRATION.md
ChatInterface.css
ChatInterface.tsx
DataViewer.css
DataViewer.tsx
FullHistoryModal.css
FullHistoryModal.tsx
Icons.tsx
InputBar.css
InputBar.tsx
LoadingDialog.css
LoadingDialog.tsx
MessageList.css
MessageList.tsx
MessagePinButton.css
MessagePinButton.tsx
ModelBadge.css
ModelBadge.tsx
OptionMenu.css
OptionMenu.tsx
README.md
ReportBlockComponent.css
ReportBlockComponent.tsx
ReportBuilderPanel.css
ReportBuilderPanel.tsx
ThinkingTrace.css
ThinkingTrace.tsx
TokenBudgetSlider.css
TokenBudgetSlider.tsx
TruncationWarningBanner.css
TruncationWarningBanner.tsx
bridge.ts
index.css
main.tsx
report-main.tsx
types.ts
BUILD.md
PYTHON_INTEGRATION_EXAMPLE.md
README.md
eslint.config.js
index.html
package-lock.json
package.json
patch_eye_ui.py
report.html
tsconfig.app.json
tsconfig.json
tsconfig.node.json
vite.config.ts
EYE_TAB_INTEGRATION_PATTERN.md
README.md
__init__.py
case_setup_dialog.py
case_summary_dialog.py
eye_manager.py
eye_splash.html
eye_tab_stub.py
eye_window.py
eye_window_manager.py
hitl_dialogs.py
message_box_helper.py
onboarding_wizard.py
settings_dialog.py
README.md
__init__.py
requirements.txt
timeline/
correlation/
__init__.py
correlation_engine.py
data/
__init__.py
event_aggregator.py
power_event_extractor.py
progressive_loader.py
query_worker.py
srum_app_resolver.py
timeline_data_manager.py
timestamp_indexer.py
persistence/
__init__.py
react-timeline/
public/
favicon.svg
icons.svg
src/
assets/
hero.png
react.svg
vite.svg
components/
DetailPanel.jsx
ErrorBoundary.jsx
EventDetailModal.jsx
HeatmapView.jsx
LabelColumn.jsx
LaneDataModal.jsx
PillBar.jsx
TimelineView.jsx
TopBar.jsx
WeekView.jsx
hooks/
useBridge.js
useLinks.js
useTimelineState.js
styles/
bands.css
timeline.css
utils/
dataUtils.js
formatters.js
linkComputer.js
App.jsx
main.jsx
diag.py
eslint.config.js
index.html
package-lock.json
package.json
vite.config.js
rendering/
__init__.py
event_renderer.py
viewport_optimizer.py
zoom_manager.py
utils/
__init__.py
animation_manager.py
error_handler.py
event_clusterer.py
loading_indicator.py
progressive_loading_indicator.py
timestamp_parser.py
tooltip_manager.py
value_parser.py
README.md
__init__.py
timeline_bridge.py
timeline_dialog.py
ui/
GUI_WORKERS_README.md
Loading_dialog.py
__init__.py
case_dialog.py
component_factory.py
correlated_virtual_table_integration.py
data_settings_dialog.py
database_search_dialog.py
database_search_integration.py
gui_workers.py
mft_virtual_table_integration.py
pagination_config.py
pagination_helper.py
pagination_widget.py
partition_window.py
progress_indicator.py
row_detail_dialog.py
row_detail_dialog_handler.py
search_filter_dialog.py
search_integration.py
search_utils.py
search_widget.py
settings_dialog.py
startup_menu.py
usn_virtual_table_integration.py
virtual_table_widget.py
utils/
concurrency/
__init__.py
cancellation.py
models.py
process_manager.py
progress.py
standalone_parsers.py
NODEJS_INSTALLER_README.md
__init__.py
error_handler.py
file_signature_detector.py
file_utils.py
forensic_deps_installer.py
forensic_deps_status.json
memory_monitor.py
nodejs_installer.py
path_utils.py
raw_file_copy.py
search_utils.py
time_utils.py
CONTRIBUTING.md
Crow Eye.py
GUI_resources.py
LICENSE
README.md
styles.py

System Architecture & Orchestration

Crow Eye is built on a sophisticated multi-layered architecture that prioritizes forensic integrity and real-time responsiveness. The system orchestrates complex data pipelines while maintaining a seamless investigative workspace.

Main Application (Crow Eye.py)
The central nervous system of the project. It orchestrates the entire forensic lifecycle, manages the PyQt5/React bridge, and handles asynchronous task scheduling to ensure 0ms UI lag during heavy data processing.

UI & Experience Layer

Responsive React-based interface embedded via QWebEngine. Manages the high-fidelity dark-mode canvas and real-time data streaming.

Component Factory
Eye UI Bridge
Styles Engine

Forensic Collectors

Modular triage artifacts. Each collector is an independent module capable of parsing raw Windows artifacts into standardized forensic formats.

MFT/USN
Registry
Event Logs
Jump Lists

Persistence & Search

High-performance SQLite backend. Manages forensic "Feathers" and provides O(log n) search capabilities across millions of artifacts.

Feather Engine
Search Manager
SQLite DB

Image Parsing Engine

Modular engine powered by the dissect framework. Uses the Strategy Design Pattern to parse E01, VHDX, VMDK, and RAW images without host-OS mounting.

Strategy Manager
FS Accessor
Partition Detector

Timeline & Visualization

Hybrid React/Python architecture. Uses an SPA interface embedded via QWebEngine with the Timeline Bridge for asynchronous event streaming.

Timeline SPA
Timeline Bridge
Event Aggregator

Forensic Correlation Engine

Advanced Correlation Framework

The Correlation Engine is the analytical heart of Crow-Eye. It provides a modular framework for finding temporal and semantic relationships across diverse forensic artifacts, enabling investigators to reconstruct complex attack chains with O(N log N) efficiency.

Core Methodology

Crow-Eye utilizes a Dual-Engine Architecture to balance forensic precision with computational performance. Whether tracking a single executable across the timeline or analyzing massive event logs, the system dynamically adapts to the investigative context.

🪶 Feather

The data normalization layer. Feathers transform raw artifacts (LNK, Prefetch, EVTX) into standardized SQLite schemas, ensuring tool-agnostic analysis.

🪽 Wing

The logic layer. Wings define the correlation rules, temporal boundaries (default 180m), and semantic mappings that guide the investigation.

Engine Subsystems

⚙️
Correlation Subsystems

Engine Core

correlation_engine.py
weighted_scoring.py

Feather System

feather_builder.py
transformer.py

Wings System

wing_model.py
wing_validator.py

Dual-Engine Comparison

Identity-Based

O(N log N)
🔍
Extract Identities
Group by Identity
Temporal Anchoring

Optimized for tracking specific files/applications across artifacts. Constant memory usage via streaming.

VS

Time-Based

O(N log N)
⏱️
Time Window Scan
Indexed Queries
Pattern Matching

Systematic temporal analysis across large datasets. Ideal for reconstruction of event timelines.

Engine Selection Guide

Feature Identity-Based Time-Based
Primary Focus Entity Tracking Temporal Context
Scaling 10,000+ Records 1,000+ Records
Memory O(1) Streaming Low (Buffered)

Directory Structure

correlation_engine/
engine/ Core logic & algorithms
feather/ Data normalization
wings/ Rule definitions
config/ Mappings & settings
pipeline/ Orchestration
gui/ User interface
integration/ Crow-Eye bridge

Eye AI Forensic Agent

Active Development Notice: The Eye Assistant is currently in continuous active development. Users and developers should expect significant changes, architectural optimizations, and new feature integrations in the upcoming releases.

The Eye AI Forensic Assistant is an embedded, tool-augmented "Forensic AI Agent" that orchestrates forensic data querying, analysis, and report generation within the Crow-eye suite. It acts as an expert forensic peer, accelerating the analysis of Windows artifacts by detecting suspicious behaviors through deep correlation and helping investigators build comprehensive forensic reports.

Core Capabilities

Eye consists of a modern React-based GUI embedded inside the PyQt5 application, interacting asynchronously with a Python backend Context Manager.

  • Natural Language Investigation: Query forensic artifacts using conversational AI.
  • Multi-Source Data Integration: Unified access to Prefetch, MFT, Registry, Event Logs, and more.
  • Living Report Workspace: Real-time collaborative documentation with charts and evidence tracking.
  • RAG-Enhanced Analysis: Retrieval-Augmented Generation for artifact-specific forensic knowledge.
  • Multi-Backend Support: OpenAI, Anthropic, Gemini, Ollama, and LM Studio.
  • Human-in-the-Loop: Critical investigative decisions require investigator validation.

Core Architectural Components

2.1. The Frontend (React + QWebChannel)

  • Embedded Web UI: A modern interface providing a Chat view, Data Viewer, and a "Living Report" Generator. Embedded using QWebEngineView.
  • Asynchronous Communication: Uses QWebChannel to stream chunks of text and tool states in real-time, reducing perceived latency.

2.2. The Backend Context Manager (Python)

The ContextManager is the brain of Eye. It maintains conversational state, enforces forensic reporting rules, applies RAG, and dictates authorized tool usage.

2.3. Model-Agnostic Router

Allows seamless switching between backends:

  • Local Server API: LM Studio / Ollama for private, offline analysis.
  • Cloud APIs: Gemini, Anthropic, OpenAI for complex reasoning.

2.4. TOON (Table-Oriented Object Notation) Engine

Prevents context window exhaustion. If a query returns >1000 rows, the TOON Engine applies SQL pushdowns to aggregate data into an ultra-compact structure (metadata, sample rows, summary stats) before delivery to the AI.

System Architecture Map

graph TB %% Class Definitions for Website Style classDef brain fill:#6366f1,stroke:#6366f1,color:#fff classDef service fill:#22d3ee,stroke:#22d3ee,color:#000 classDef backend fill:#f43f5e,stroke:#f43f5e,color:#fff classDef data fill:#1e293b,stroke:#475569,color:#fff classDef bridge fill:#ec4899,stroke:#ec4899,color:#fff classDef protocol fill:#84cc16,stroke:#84cc16,color:#000 classDef frontend fill:#312e81,stroke:#6366f1,color:#fff classDef intel fill:#a855f7,stroke:#a855f7,color:#fff subgraph FE [Frontend Layer - React] ChatUI[Chat Interface]:::frontend ReportUI[Living Report Workspace]:::frontend BridgeJS[QWebChannel Client]:::frontend end subgraph BC [Bridge & Config Layer] EyeBridge[EyeBridge.py]:::bridge ConfigMgr[ConfigManager.py]:::bridge Schema[(eye_config_schema.json)]:::data ActiveConfig[(eye_config.json)]:::data end subgraph BR [The Brain - Intelligence Layer] ContextMgr[ContextManager.py]:::brain QueryProc[QueryProcessor.py]:::brain IntentEng[IntentEngine.py]:::brain TokenMgr[ContextWindowConfigManager.py]:::brain HistoryMgr[HistoryManager.py]:::brain AuditLog[TruncationAuditor.py]:::protocol EvidenceDet[EvidenceDetector.py]:::intel end subgraph SV [Service Layer] ModelRouter[ModelRouter.py]:::service RAGSvc[RAGService.py]:::service DBSvc[DatabaseService.py]:::service SearchSvc[ForensicSearchService.py]:::service ReportEng[ReportEngine.py]:::service TOON[TOON Compression]:::service CredentialMgr[CredentialManager.py]:::service end subgraph ID [Intelligence & Detection] ThreatIntel[ThreatIntelService.py]:::intel Correlation[CorrelationService.py]:::intel VT[VirusTotal API]:::intel OTX[AlienVault OTX]:::intel LOLBAS[LOLBAS/Drivers]:::intel end subgraph RX [Rendering & Export] PDFExp[PDFExporter.py]:::service SVGExp[SVGChartExporter.py]:::service Heatmap[HeatmapRenderer.py]:::service Timeline[TimelineRenderer.py]:::service ColorMgr[ColorManager.py]:::service end subgraph BS [Backend Strategy] LocalCLI[GenericCLIBackend]:::backend LocalAPI[LocalServerBackend]:::backend CloudAPI[CloudAPIBackend]:::backend end subgraph FI [Forensic Infrastructure] ForensicDB[(Artifact Databases
SQLite)]:::data Registry[(Registry Hives
SAM / SYSTEM)]:::data KnowledgeBase[(RAG Knowledge Base
Embeddings)]:::data Keychain[(OS Keychain
Credential Storage)]:::data AuditFiles[(truncation_audit.log)]:::data CaseDir[(Case Directory Manager)]:::data end ChatUI <--> BridgeJS BridgeJS <--> EyeBridge EyeBridge <--> ContextMgr ConfigMgr -- validates --> ActiveConfig ActiveConfig -- against --> Schema ConfigMgr -- drives --> ModelRouter ContextMgr --> QueryProc QueryProc --> IntentEng QueryProc --> RAGSvc QueryProc --> TokenMgr QueryProc --> ModelRouter QueryProc --> HistoryMgr QueryProc --> AuditLog QueryProc --> EvidenceDet EvidenceDet --> ThreatIntel ThreatIntel --> VT & OTX & LOLBAS ModelRouter --> LocalCLI & LocalAPI & CloudAPI ModelRouter -.-> CredentialMgr CredentialMgr <--> Keychain QueryProc --> DBSvc QueryProc --> SearchSvc QueryProc --> ReportEng DBSvc --> TOON ReportEng --> PDFExp & SVGExp & Heatmap & Timeline Heatmap & Timeline --> ColorMgr QueryProc -.->|Investigator Approval| HumanValidation{Human in the Loop}:::protocol HumanValidation -.-> ContextMgr DBSvc --> ForensicDB & Registry QueryProc --> Correlation RAGSvc --> KnowledgeBase AuditLog --> AuditFiles CaseDir --> ForensicDB ReportEng -- exports --> FileSystem[(HTML/PDF Reports)]:::data %% Subgraph Styling style FE fill:#1e1b4b,stroke:#312e81,stroke-width:2px,color:#fff style BC fill:#1e1b4b,stroke:#312e81,stroke-width:2px,color:#fff style BR fill:#0f172a,stroke:#1e293b,stroke-width:2px,color:#fff style SV fill:#0f172a,stroke:#1e293b,stroke-width:2px,color:#fff style ID fill:#2e1065,stroke:#4c1d95,stroke-width:2px,color:#fff style RX fill:#064e3b,stroke:#065f46,stroke-width:2px,color:#fff style BS fill:#450a0a,stroke:#7f1d1d,stroke-width:2px,color:#fff style FI fill:#020617,stroke:#0f172a,stroke-width:2px,color:#fff

The Ghassan Elsman Protocol (GEP)

The GEP is a strict set of forensic integrity boundaries enforced during every investigation step.

0. Case Awareness (The Triage): Initial blueprinting of the case context injected directly into the system prompt.
1. Pre-Flight Integrity (The Ping): Validates backend connectivity to prevent silent failures before processing.
2. Evidence Anchoring (The Snippets): Automatically tags and preserves raw forensic context (hashes, IPs, timestamps) in history.
3. Chain of Custody (Audit Trail): Meticulous recording of all preservation and truncation events into truncation_audit.log.
4. Non-Repudiation (Hash-Linked): Assignments of deterministic, content-based IDs to all messages to ensure record integrity.
5. Context Preservation (Pinning): Specific logic to exclude evidence-flagged messages from AI summarization.
6. Tool Traceability: Injection of tool names and execution iteration counts into system history for perfect tracing.
7. Machine-Readable Review (Synthesis): Export of a structured JSON audit trail for automated protocol compliance checking.

Investigation Pipeline

The 7-stage processing flow ensures thorough and verifiable analysis.

  1. Intent Interception: Heuristic check for direct commands (e.g., model switching).
  2. Forensic Keyword Analysis: Identifying target artifacts (Prefetch, MFT, etc.).
  3. RAG Lookup: Contextual retrieval from the forensic knowledge base.
  4. Token Balancing: Optimization of the context window for history and RAG prompts.
  5. Tool Execution: Direct execution of database queries, regex searches, and intelligence lookups.
  6. Forensic Synthesis: Applying the Ghassan Elsman Protocol for strictly evidence-anchored reporting.
  7. Completion: Delivering the final payload, interactive action chips, and data viewers to the UI.

Eye Tool Arsenal

Eye is equipped with a suite of functional tools to manipulate data, generate reports, and hunt for intelligence.

Investigative & Data Tools

  • query_database: Executes raw SQL SELECT queries directly against forensic SQLite databases with automatic TOON compression.
  • search_artifacts: Performs text or regex searches across all available databases.
  • get_schema: Retrieves table schema information (columns, types) as a fallback mechanism.
  • query_correlation_results: Finds time-based or identity-based correlations using Crow-eye's Correlation Engine.
  • list_case_files: Secure navigation of the active case directory to discover artifacts.

Reporting & Visualization (The Living Report)

  • report_append_section: Adds markdown narrative and synthesis to the report.
  • report_add_data_table: Generates interactive data tables for raw forensic evidence.
  • report_add_chart: Creates data visualizations (Bar, Line, Pie) for pattern analysis.
  • report_add_timeline: Constructs chronological timeline visualizations.
  • report_add_heatmap: Generates intensity heatmaps (e.g., login activity by hour/day).
  • report_add_chat_transcript: Documents AI reasoning or investigator dialogues.
  • report_add_chain_of_custody: Documents evidence handling procedures.
  • report_edit_section / report_delete_section: Modifies existing report blocks.
  • export_report: Triggers formal export to HTML, PDF, or Markdown.

Threat Intelligence Tools

  • query_threat_intel: Queries external intelligence (VirusTotal, AlienVault) for reputation data.
  • query_living_off_the_land_intel: Assesses if binaries/drivers are known dual-use tools (LOLBAS/LOLDrivers).
  • internet_search: Performs wide-spectrum research for emerging threats or techniques.

Initial Triage Workflow

Upon starting a new case, Eye autonomously executes a "Master Forensic Triage Report", encompassing:

  1. System Identity & Network Discovery
  2. Authentication & Login Activity
  3. Evidence of Execution (Top 10 Apps)
  4. Persistence Mechanisms (Auto-Runs)
  5. Anti-Forensics & File Lifecycle
  6. User Intent (Search & Commands)
  7. Connected Hardware (USB Devices)
  8. Final Synthesis & Strategy

This ensures the investigator is immediately presented with a comprehensive, actionable overview of the endpoint's state.

Forensic Knowledge Base (RAG)

The Retrieval-Augmented Generation (RAG) service empowers the Eye Assistant with deep, artifact-specific forensic knowledge. Instead of relying on general LLM training data, Eye consults an internal library of markdown documents.

  • Artifact Schemas: Detailed breakdowns of database structures (e.g., global_schema_reference.md).
  • Forensic Methodology: Step-by-step investigative workflows and best practices.
  • Targeted Knowledge: Specific guides for each artifact (e.g., amcache_knowledge.md, prefetch_knowledge.md, usn_knowledge.md) outlining exactly what each field means and how it can be abused.

Directory Structure

eye/
backends/ Cloud & Local AI providers
bridge/ QWebChannel communication layer
services/ Context management, RAG, & PDF services
ui/ React frontend and PyQt wrapper
models/ Data models for reports and metadata
eye_bridge.py
requirements.txt

Core Components

1. Main Application (Crow Eye.py)

The main application serves as the entry point and orchestrator for the entire system.

Responsibilities

  • Environment Setup: Creates and manages a virtual environment with required dependencies
  • UI Initialization: Sets up the PyQt5-based user interface with cyberpunk styling
  • Artifact Collection Coordination: Invokes appropriate artifact collectors
  • Data Visualization: Displays collected artifacts in tables and UI components
  • Case Management: Handles case creation, loading, and configuration

Key Functions

  • setup_virtual_environment(): Creates Python virtual environment
  • check_and_install_requirements(): Ensures all packages are installed
  • validate_dependencies(): Validates dependency functionality
  • is_admin(): Checks for administrator privileges
  • load_registry_data_from_db(): Master function for loading registry data

2. Styles System (styles.py)

Defines the cyberpunk-themed visual identity of Crow Eye with neon accents and dark backgrounds.

Features

  • Custom color palette with neon cyan (#00FFFF) accents
  • Dark theme optimized for long forensic sessions
  • Consistent styling across all UI components
  • Custom table styles with alternating row colors

3. Component Factory (component_factory.py)

Factory pattern for creating consistent UI elements throughout the application.

Created Components

  • Styled tables with custom headers
  • Search dialogs with filters
  • Progress indicators
  • Custom buttons and controls

Artifact Collectors

Each artifact collector is a specialized module for extracting and parsing a specific type of Windows forensic artifact.

Common Collector Pattern

All collectors follow this pattern:

  1. Locate: Find artifact source (files, registry keys, etc.)
  2. Parse: Extract binary data into structured information
  3. Store: Save results in SQLite databases
  4. Export: Generate JSON output for interoperability

1. Prefetch Parser (Prefetch_claw.py)

Parses Windows Prefetch files (.pf) to extract execution history.

Forensic Value

  • Program execution history
  • Last execution times (up to 8 timestamps)
  • Run count
  • Files and directories accessed by the program

Supported Versions

  • Windows XP/2003 (Version 17)
  • Windows Vista/7 (Version 23)
  • Windows 8/8.1/2012 (Version 26)
  • Windows 10/11 (Versions 30-31)

2. Registry Parser (Regclaw.py)

Extracts forensic artifacts from live Windows Registry hives.

Artifacts Collected

  • USB Devices & Storage
  • UserAssist (ROT-13 decoded)
  • Shellbags (folder access)
  • Recent Documents
  • Network Lists
  • Run/RunOnce keys
  • Installed Programs
  • Services
  • BAM/DAM (Background Activity Moderator)

3. Offline Registry Parser (offline_RegClaw.py)

Parses offline registry hives without requiring live system access.

Key Features

  • Hive Support: SYSTEM, SOFTWARE, SAM, SECURITY, NTUSER.DAT
  • Path Independence: No reliance on current system's registry API
  • Cross-Analysis: Analyze hives from different Windows versions

4. Amcache Parser (amcacheparser.py)

Parses Amcache.hve to identify application execution history.

Database Tables

  • InventoryApplication
  • InventoryApplicationFile
  • InventoryDriverBinary
  • DeviceCensus

5. Event Log Parser (WinLog_Claw.py)

Parses Windows Event Log files (.evtx).

Forensic Value

  • User logon/logoff events
  • Process creation (Event ID 4688)
  • Service installations
  • System events

6. Jump Lists & LNK Parser (A_CJL_LNK_Claw.py)

Parses Jump Lists and LNK (shortcut) files.

Forensic Value

  • Recently accessed files
  • Application usage patterns
  • File paths and network shares
  • Timestamps of file access

7. SRUM Parser (SRUM_Claw.py)

Parses System Resource Usage Monitor database.

Forensic Value

  • Application runtime and resource usage
  • Network connectivity data
  • Energy usage statistics

8. MFT Parser (MFT_Claw.py)

Parses the Master File Table from NTFS file systems.

Forensic Value

  • Complete file system timeline
  • File creation, modification, access times
  • Deleted file recovery
  • File attributes and permissions

9. USN Journal Parser (USN_Claw.py)

Parses the Update Sequence Number Journal.

Forensic Value

  • File system change tracking
  • File creation, deletion, renaming events
  • Detailed change reasons

10. Recycle Bin Parser (recyclebin_claw.py)

Parses Recycle Bin artifacts.

Forensic Value

  • Deleted file metadata
  • Original file paths
  • Deletion timestamps
  • File sizes

11. Shimcache Parser (shimcash_claw.py)

Parses the Windows Application Compatibility Cache (Shimcache) to track executable files that have been present on the system.

Forensic Value

  • Execution history (even if the file is deleted)
  • Full file paths
  • Last modification timestamps
  • Execution flags and status

Crow-claw: Advanced Collection Engine

Crow-claw is the high-fidelity collection core of Crow-Eye. It is designed to bypass operational system locks and provide deep access to hidden or protected forensic artifacts.

Raw Disk Access

Bypasses Windows API locks using raw_disk_access_strategy.py, allowing the engine to read files like MFT, Registry Hives, and Pagefiles while the system is live.

VSS Management

The integrated shadow_copy_manager.py automatically identifies, mounts, and parses Volume Shadow Copies, enabling historical analysis of system states.

Core Components

  • VSS Health Diagnostics: Automated volume consistency checks via vss_health_checker.py.
  • Error Classifier: Advanced error handling (error_classifier.py) to distinguish between access denials and corrupted data.
  • Multi-Strategy Collection: Dynamically switches between Standard, Shadow, and Raw access depending on the forensic context.

Forensic Image Parsing Engine

The Forensics Image Parsing module provides a robust, extensible architecture designed to analyze and extract artifacts from diverse forensic containers. By leveraging the Strategy Design Pattern and the dissect framework, it abstracts image complexity into a unified filesystem interface.

E01 / Ex01

Expert Witness Format support with intelligent loaders for segmented or missing image slices.

RAW / DD

Bit-for-bit raw copies with automated multi-part discovery (e.g., .001, .002).

VHDX / VMDK

Direct parsing of Hyper-V and VMware virtual disk formats for cloud and VM forensics.

Core Architectural Components

Image Parser (image_parser.py)

The central coordinator that detects formats through signature verification and manages the lifecycle of parsing strategies.

FS Accessor (file_system_accessor.py)

Abstraction layer handling complex NTFS features like Alternate Data Streams (ADS) and sparse file compaction ($J Journal).

Image Extractor (image_extractor.py)

The bridge between artifact definitions and parsed volumes, translating Windows environment variables for seamless extraction.

Partition Detector (partition_detector.py)

Scans for Volume Systems (MBR, GPT) and handles "Volume-Only" acquisitions without partition tables.

The Parsing Pipeline

  1. Detection: Cascading format checks via can_handle() electing the appropriate strategy.
  2. Mounting: Transparent mounting of containers and resolution of split segments.
  3. Discovery: Automated partition probing and creation of PartitionInfo metadata.
  4. Traversal: Mapping offset addresses to mount specific NTFS/FAT32 volumes.
  5. Extraction: Streaming artifact data while preserving forensic MAC timestamps.

Offline Artifact Importer

The Offline Importer subsystem allows investigators to process raw forensic artifacts that have been extracted from target machines or acquired via third-party tools. It provides a robust GUI for batch processing and validation.

Core Capabilities

  • Automated Discovery: Scans directories to automatically identify artifact types (Prefetch, EVTX, Registry Hives) using artifact_type_detector.py.
  • Batch Processing: Orchestrates multiple offline parsers concurrently using parser_invoker.py.
  • Validation & Indexing: Validates file integrity before parsing and builds a comprehensive scan index.
  • Standalone GUI: Provides a dedicated interface (offline_importer_gui.py) for managing imports outside of the live collection workflow.

Timeline Module

The Crow-Eye Timeline is a sophisticated analytical engine that aggregates and correlates forensic artifacts into a unified, chronologically ordered interface. It utilizes a Hybrid Architecture to deliver high-performance visualization of massive datasets.

Hybrid Architecture (React + Python)

The timeline bridges a robust Python data-processing backend with a modern, responsive React frontend hosted within a PyQt5 QWebEngineView.

Timeline Bridge

Uses QWebChannel (timeline_bridge.py) for asynchronous, sub-millisecond communication between the React UI and the Python forensic logic.

OpenGL Visualization

The React frontend leverages the Canvas API and GPU acceleration to render 100k+ events across interactive swimlanes and heatmaps.

Core Data Orchestration

Data Manager (timeline_data_manager.py)

Manages a thread-safe connection pool to multiple artifact databases (MFT, Registry, SRUM, etc.) with optimized time-range indexing.

Timestamp Parser (UniversalTimestampParser)

Forensically normalizes Windows FILETIME, Unix Epoch, Mac Absolute, and OLE dates into standardized UTC ISO 8601 strings.

Optimization Strategies

  • Time-Sliced Querying: Prevents UI blocking by sampling and chunking data for different zoom levels.
  • Event Aggregation: Condenses raw events into high-level representations (e.g., system sessions) when viewed at macro scales.
  • Progressive Loading: Asynchronously fetches data as the investigator pans through the temporal viewport.

Investigation Workflow

  1. Initialization: TimelineDialog instantiates the bridge and loads the React build.
  2. Temporal Mapping: UI queries getTimeBounds() to map the absolute forensic scope of the case.
  3. Contextual Querying: As the analyst zooms, specific swimlanes (e.g., MFT, Network, Execution) request localized time-slices.
  4. Correlation: The correlation_engine.py identifies proximity-based relationships between isolated system events.

Dynamic Linking & Intelligence

The Dynamic Linking engine is the intelligence layer of Crow-Eye, responsible for enriching raw artifacts with system-level context and identifying hidden relationships between forensic data points.

Intelligence Engine (intelligence_engine.py)

The core logic that orchestrates link gathering and enrichment. It transforms anonymous IDs into human-readable investigative context.

Identity Enrichment

Automatically resolves Windows SIDs to Usernames and matches AppIDs to their friendly application names using local mapping databases.

Semantic Cross-Linking

Links diverse artifacts (e.g., Prefetch execution to LNK file creation) by identifying shared identifiers like file paths, hashes, or timestamps.

Knowledge Architecture

  • Rule Framework: Modular rules located in the rules/ directory define how different artifacts relate to each other.
  • Enrichment Database: High-speed IO (io/database.py) for managing the dynamic mapping state and persistent link history.
  • Intelligence IO: Handles the import/export of intelligence data for sharing across investigation teams.

Data Management Layer

The data layer handles all database operations, search functionality, and data loading.

Database Architecture

Crow Eye uses SQLite databases for storing parsed artifacts:

  • Case Databases: One database per case
  • Artifact Tables: Separate tables for each artifact type
  • Indexes: Optimized for timestamp and text searches

Key Components

  • database_manager.py: Connection and transaction management
  • base_loader.py: Base class for data loaders
  • registry_loader.py: Registry-specific data loading
  • mft_loader.py: MFT data loading with virtual tables
  • usn_loader.py: USN Journal data loading
  • search_engine.py: Full-text search across artifacts
  • index_manager.py: Database index optimization

Search Capabilities

  • Full-text search across all artifacts
  • Timestamp range filtering
  • Regular expression support
  • Multi-field queries
  • Search history tracking

UI Components

The UI layer provides a cyberpunk-themed interface for interacting with forensic data.

Component Factory Pattern

The component_factory.py module creates consistent UI elements:

  • Styled tables with custom headers
  • Search and filter dialogs
  • Progress indicators
  • Custom buttons and controls

Key Dialogs

  • case_dialog.py: Case creation and management
  • search_filter_dialog.py: Advanced search interface
  • row_detail_dialog.py: Detailed artifact view
  • Loading_dialog.py: Custom loading animations

Virtual Tables

For large datasets (MFT, USN), Crow Eye uses virtual tables:

  • On-demand data loading
  • Smooth scrolling for millions of records
  • Memory-efficient rendering
  • Pagination controls

Documentation Reference

For developers, contributors, and deep-dive technical research, Crow Eye maintains extensive markdown documentation within its repository. These guides cover architectural decisions, system orchestration, and contribution standards.

General Documentation

README.md

Project overview, vision, features, and usage guide.

TECHNICAL_DOCS.md

Complete technical documentation including architecture and components.

CONTRIBUTING.md

Contribution guidelines, coding standards, and workflows.

timeline/ARCH.md

Detailed timeline module architecture.

Correlation Engine Documentation

The Correlation Engine is the most actively developed subsystem, with over 10,000 lines of documentation:

Engine Overview

System overview with architecture diagrams.
Engine Docs

Dual-engine architecture, selection guide, optimization.
Architecture

Component integration and data flow.
🪶 Feather Docs

Data normalization system.
🪽 Wings Docs

Correlation rules definitions.
Pipeline Docs

Workflow orchestration.
Artifact Registry

Centralized artifact type definitions.
Weight Precedence

Weight resolution hierarchy.
Config Reload

Live configuration updates.
Interfaces

Dependency injection and testing.
Contrib Guide

Priority areas and dev status.