Overview

Crow Eye is an open-source Windows forensic investigation engine designed to collect, analyze, and visualize various Windows artifacts. It features a modular architecture with specialized components for artifact collection, data processing, and visualization through a cyberpunk-themed GUI.

Key Features

  • Comprehensive Artifact Collection: Supports Prefetch, Registry, Event Logs, Amcache, Jump Lists, SRUM, MFT, USN Journal, Recycle Bin.
  • Timeline Visualization: Advanced timeline view with OpenGL-accelerated rendering.
  • Case Management: Organize investigations into cases with persistent configuration.
  • Modular Architecture: Easy to extend with new artifact parsers.

What's New

Version 0.7.1 of Crow Eye brings significant enhancements across the board, focusing on improved stability, performance, and user experience. We've refined existing features and laid the groundwork for exciting future developments.

Highlights of this Release:

  • Enhanced Performance: Optimized data processing and UI responsiveness for a smoother investigative workflow.
  • Increased Stability: Addressed various bug fixes and stability improvements across artifact collectors and the correlation engine.
  • Improved User Experience: Minor UI adjustments for better clarity and ease of use.
  • Preparation for Future Features: Underlying architectural improvements to support upcoming advanced features such as enhanced semantic mapping and advanced correlation scoring.

Project Structure

The project is organized into several key directories:

  • Artifacts_Collectors/: Specialized parsers for Windows artifacts.
  • data/: Data management components and database loaders.
  • ui/: User interface components and dialogs.
  • utils/: Utility functions for file handling, errors, etc.
  • timeline/: The timeline visualization subsystem.
  • correlation_engine/: Complete correlation engine system for forensic artifact analysis.
  • config/: JSON configuration files.
  • docs/: Technical documentation and contribution guides.
Crow-Eye/
Artifacts_Collectors/ Specialized parsers
__init__.py
A_CJL_LNK_Claw.py Jump Lists & LNK
amcacheparser.py
JLParser_AppID.csv
JLParser.py
offline_RegClaw.py Offline Registry
offlineACJL.py
partition_analyzer.py
Prefetch_claw.py Prefetch parser
recyclebin_claw.py
Regclaw.py Live Registry
registry_binary_parser.py
shimcash_claw.py
SRUM_Claw.py
windows_partition_detector.py Partition detection
WinLog_Claw.py Event Logs
MFT and USN journal/
__init__.py
MFT_Claw.py
mft_usn_correlator.py MFT/USN correlation
USN_Claw.py
modules/
__init__.py
Target Artifacts/
C,AJL and LNK/
copy the lnk files here
Registry Hives/
note
config/
__init__.py
case_history_manager.py
configuration_manager.py
data_models.py
standard_fields/
event_identifiers.json
file_paths.json
network_identifiers.json
process_identifiers.json
system_identifiers.json
timestamps.json
user_identifiers.json
configs/
README.md
semantic_mapping_config.json
semantic_mapping_rules_default.json
semantic_rules_default.json
semantic_rules_example.json
semantic_rules_schema.json
feathers/
pipelines/
wings/
correlation_engine/ Forensic Correlation System
__init__.py
ARCHITECTURE.md
CONTRIBUTING.md
semantic_mapping_debug.log
config/ Configuration management
__init__.py
artifact_type_registry.py
artifact_types.json
case_configuration_file_manager.py
case_configuration_manager.py
case_specific_configuration_manager.py
centralized_score_config.py
config_manager.py
configuration_change_handler.py
configuration_conflict_resolver.py
configuration_migration.py
feather_config.py
identifier_extraction_config.py
integrated_configuration_manager.py
pipeline_config_manager.py
pipeline_config.py
score_config_migration_tool.py
score_configuration_manager.py
semantic_config.py
semantic_mapping_discovery.py
semantic_mapping.py
semantic_rule_validator.py
session_state.py
wing_config.py
default_mappings/
browser_history.yaml
event_logs.yaml
file_system.yaml
prefetch.yaml
registry.yaml
database/
__init__.py
connection_manager.py
docs/
ARCHITECTURE.md
CONTRIBUTING.md
CORRELATION_ENGINE_OVERVIEW.md
FEATHER_METADATA_OPTIONAL.md
PIPELINE_CONFIG_MANAGER_README.md
README.md
STRUCTURAL_FIXES_SUMMARY.md
WING_FEATHER_GUIDE.md
config/
ARTIFACT_TYPE_REGISTRY.md
CONFIG_DOCUMENTATION.md
CONFIGURATION_RELOAD.md
WEIGHT_PRECEDENCE.md
docs/
CORRELATION_ENGINE_OVERVIEW.md
FEATHER_METADATA_OPTIONAL.md
PIPELINE_CONFIG_MANAGER_README.md
config/
CONFIG_DOCUMENTATION.md
engine/
ENGINE_DOCUMENTATION.md
feather/
FEATHER_DOCUMENTATION.md
gui/
GUI_DOCUMENTATION.md
integration/
INTEGRATION_DOCUMENTATION.md
pipeline/
PIPELINE_DOCUMENTATION.md
wings/
WINGS_DOCUMENTATION.md
engine/
ENGINE_DOCUMENTATION.md
TIME_WINDOW_SCANNING_ENGINE.md
feather/
FEATHER_DOCUMENTATION.md
gui/
GUI_DOCUMENTATION.md
integration/
INTEGRATION_DOCUMENTATION.md
INTEGRATION_INTERFACES.md
pipeline/
PIPELINE_DOCUMENTATION.md
semantic_mapping/
SEMANTIC_MAPPING_GUIDE.md
wings/
WINGS_DOCUMENTATION.md
engine/ Core correlation engines
__init__.py
base_engine.py
cancellation_support.py
correlation_engine.py
correlation_result.py
correlation_statistics.py
data_structures.py
database_error_handler.py
database_persistence.py
engine_selector.py
enhanced_feather_loader.py
error_handling_coordinator.py
feather_loader.py
identifier_correlation_engine.py
identifier_extraction_pipeline.py
IDENTIFIER_EXTRACTION_README.md
identity_based_engine_adapter.py
identity_correlation_engine.py
identity_extractor.py
identity_validator.py
memory_manager.py
parallel_window_processor.py
performance_analysis.py
performance_benchmark.py
performance_monitor.py
progress_tracking.py
query_builder.py
query_interface.py
results_formatter.py
semantic_matches_evaluator_enhanced.py
semantic_matches_evaluator.py
semantic_rule_evaluator.py
streaming_manager.py
time_based_engine.py
time_estimation.py
time_window_config.py
timestamp_parser.py
two_phase_correlation.py
weighted_scoring.py
wing_config_adapter.py
ui/
__init__.py
feather/ Data normalization
__init__.py
database.py
feather_builder.py
transformer.py
ui/
__init__.py
csv_tab.py
data_viewer.py
database_tab.py
json_tab.py
main_window.py
progress_widget.py
styles.qss
gui/ User interface
__init__.py
__main__.py
anchor_detail_dialog.py
case_specific_configuration_dialog.py
comparative_analysis_widget.py
component_detail.py
config_library.py
correlation_results_view.py
CORRELATION_VIEWERS_DOCUMENTATION.md
crow_eye_styles.qss
database_results_loader.py
execution_control.py
hierarchical_results_view.py
identifier_extraction_config_panel.py
identity_detail_dialog.py
identity_results_view.py
main_window.py
match_detail_dialog.py
pipeline_builder.py
pipeline_management_tab.py
pipeline_selection_dialog.py
pipeline_selector_widget.py
progress_display_widget.py
README.md
results_exporter.py
results_tab_widget.py
results_viewer.py
scoring_breakdown_widget.py
semantic_filter_panel.py
semantic_info_display_widget.py
semantic_mapping_editor_dialog.py
semantic_mapping_viewer.py
settings_dialog.py
time_based_results_view.py
time_search_widget.py
timebased_results_viewer.py
timeline_widget.py
tooltips_help.py
ui_styling.py
wing_selection_dialog.py
identity_semantic_phase/
__init__.py
CONFIGURATION.md
identity_aggregator.py
identity_level_semantic_processor.py
identity_registry.py
identity_semantic_controller.py
semantic_data_propagator.py
semantic_mapping_controller.py
sql_semantic_mapper.py
integration/ Crow Eye bridge
__init__.py
auto_feather_generator.py
case_initializer.py
case_specific_configuration_integration.py
correlation_integration.py
crow_eye_integration.py
default_pipeline_creator.py
default_wings_loader.py
error_handling.py
feather_config_generator.py
feather_mappings.py
integration_diagnostics.py
integration_error_handler.py
integration_logging.py
integration_monitor.py
interfaces.py
progress_tracking_integration.py
semantic_mapping_integration.py
terminal_progress_logger.py
weighted_scoring_integration.py
default_wings/
Execution_Proof_Correlation.json
README.md
User_Activity_Correlation.json
memory/
__init__.py
memory_manager.py
optimization/
__init__.py
progress_tracking_optimizer.py
semantic_mapping_optimizer.py
weighted_scoring_optimizer.py
pipeline/ Workflow orchestration
__init__.py
database_connection_manager.py
discovery_service.py
error_handler.py
feather_auto_registration.py
path_resolver.py
pipeline_executor.py
pipeline_loader.py
services/
case_switching_service.py
wings/ Correlation rules
__init__.py
core/
__init__.py
artifact_detector.py
wing_model.py
wing_validator.py
ui/
__init__.py
anchor_priority_widget.py
feather_widget.py
json_viewer.py
main_window.py
semantic_mapping_dialog.py
wings_styles.qss
data/ Data management
__init__.py
base_loader.py
correlated_loader.py
database_discovery_manager.py
database_initializer.py
database_manager.py
index_manager.py
mft_loader.py
registry_loader.py
search_engine.py
search_history_manager.py
timestamp_detector.py
timestamp_parser.py
unified_search_engine.py
usn_loader.py
GUI Resources/
CrowEye.ico
CrowEye.jpg
gray color image.jpg
hamburger menu.png
loading.gif
main-menu.png
Resources_rc.qrc
icons/
check.svg
correlation-icon.svg
export.svg
filter-icon.png
menu-icon.svg
new-case-icon.svg
open-case-icon.svg
search-icon.svg
settings-icon.svg
visualization.svg
Target_Artifacts/
mft_usn_correlation.log
usn_claw_20260117_121518.log
usn_claw_20260207_080859.log
usn_claw_20260208_233240.log
usn_claw_20260214_052942.log
timeline/ Visualization
__init__.py
ARCHITECTURE.md
event_details_dialog.py
event_details_panel.py
filter_bar.py
timeline_canvas.py
timeline_config_dialog.py
timeline_dialog.py
correlation/
__init__.py
correlation_engine.py
data/
__init__.py
event_aggregator.py
power_event_extractor.py
progressive_loader.py
query_worker.py
srum_app_resolver.py
timeline_data_manager.py
timestamp_indexer.py
persistence/
__init__.py
rendering/
__init__.py
event_renderer.py
viewport_optimizer.py
zoom_manager.py
utils/
__init__.py
animation_manager.py
error_handler.py
event_clusterer.py
loading_indicator.py
progressive_loading_indicator.py
timestamp_parser.py
tooltip_manager.py
ui/ User Interface
__init__.py
case_dialog.py
component_factory.py
correlated_virtual_table_integration.py
data_settings_dialog.py
database_search_dialog.py
database_search_integration.py
Loading_dialog.py
mft_virtual_table_integration.py
pagination_config.py
pagination_helper.py
pagination_widget.py
partition_window.py
progress_indicator.py
row_detail_dialog_handler.py
row_detail_dialog.py
search_filter_dialog.py
search_integration.py
search_utils.py
search_widget.py
settings_dialog.py
startup_menu.py
usn_virtual_table_integration.py
virtual_table_widget.py
utils/ Utilities
__init__.py
error_handler.py
file_signature_detector.py
file_utils.py
memory_monitor.py
raw_file_copy.py
search_utils.py
time_utils.py
.gitignore
clear_python_cache.py
CONTRIBUTING.md
Crow Eye.py Main Entry Point
DEEP_LOGICAL_ANALYSIS.md
GUI_resources.py
LICENSE
partition_analyzer.py
README.md
styles.py
TECHNICAL_DOCUMENTATION.md

Architecture Overview

Crow Eye follows a modular architecture where the main application orchestrates interaction between the UI, artifact collectors, and data management layer.

System Layers

  • UI Layer: PyQt5-based interface with custom styling.
  • Collector Layer: Independent modules for parsing specific artifacts.
  • Data Layer: SQLite-based storage with optimized loading and querying.
👁️
Main Application
Crow Eye.py

UI Components

Styles
Component Factory
Loading Dialog

Artifact Collectors

Amcache
Prefetch
Registry
Event Logs
Jump Lists
SRUM
MFT & USN
Recycle Bin

Data Management

DB Manager
Search Engine
Loaders
SQLite DB

Timeline System

Canvas (OpenGL)
Data Manager
Renderer

Core Components

1. Main Application (Crow Eye.py)

The main application serves as the entry point and orchestrator for the entire system.

Responsibilities

  • Environment Setup: Creates and manages a virtual environment with required dependencies
  • UI Initialization: Sets up the PyQt5-based user interface with cyberpunk styling
  • Artifact Collection Coordination: Invokes appropriate artifact collectors
  • Data Visualization: Displays collected artifacts in tables and UI components
  • Case Management: Handles case creation, loading, and configuration

Key Functions

  • setup_virtual_environment(): Creates Python virtual environment
  • check_and_install_requirements(): Ensures all packages are installed
  • validate_dependencies(): Validates dependency functionality
  • is_admin(): Checks for administrator privileges
  • load_registry_data_from_db(): Master function for loading registry data

2. Styles System (styles.py)

Defines the cyberpunk-themed visual identity of Crow Eye with neon accents and dark backgrounds.

Features

  • Custom color palette with neon cyan (#00FFFF) accents
  • Dark theme optimized for long forensic sessions
  • Consistent styling across all UI components
  • Custom table styles with alternating row colors

3. Component Factory (component_factory.py)

Factory pattern for creating consistent UI elements throughout the application.

Created Components

  • Styled tables with custom headers
  • Search dialogs with filters
  • Progress indicators
  • Custom buttons and controls

Artifact Collectors

Each artifact collector is a specialized module for extracting and parsing a specific type of Windows forensic artifact.

Common Collector Pattern

All collectors follow this pattern:

  1. Locate: Find artifact source (files, registry keys, etc.)
  2. Parse: Extract binary data into structured information
  3. Store: Save results in SQLite databases
  4. Export: Generate JSON output for interoperability

1. Prefetch Parser (Prefetch_claw.py)

Parses Windows Prefetch files (.pf) to extract execution history.

Forensic Value

  • Program execution history
  • Last execution times (up to 8 timestamps)
  • Run count
  • Files and directories accessed by the program

Supported Versions

  • Windows XP/2003 (Version 17)
  • Windows Vista/7 (Version 23)
  • Windows 8/8.1/2012 (Version 26)
  • Windows 10/11 (Versions 30-31)

2. Registry Parser (Regclaw.py)

Extracts forensic artifacts from live Windows Registry hives.

Artifacts Collected

  • USB Devices & Storage
  • UserAssist (ROT-13 decoded)
  • Shellbags (folder access)
  • Recent Documents
  • Network Lists
  • Run/RunOnce keys
  • Installed Programs
  • Services
  • BAM/DAM (Background Activity Moderator)

3. Offline Registry Parser (offline_RegClaw.py)

Parses offline registry hives without requiring live system access.

Key Features

  • Hive Support: SYSTEM, SOFTWARE, SAM, SECURITY, NTUSER.DAT
  • Path Independence: No reliance on current system's registry API
  • Cross-Analysis: Analyze hives from different Windows versions

4. Amcache Parser (amcacheparser.py)

Parses Amcache.hve to identify application execution history.

Database Tables

  • InventoryApplication
  • InventoryApplicationFile
  • InventoryDriverBinary
  • DeviceCensus

5. Event Log Parser (WinLog_Claw.py)

Parses Windows Event Log files (.evtx).

Forensic Value

  • User logon/logoff events
  • Process creation (Event ID 4688)
  • Service installations
  • System events

6. Jump Lists & LNK Parser (A_CJL_LNK_Claw.py)

Parses Jump Lists and LNK (shortcut) files.

Forensic Value

  • Recently accessed files
  • Application usage patterns
  • File paths and network shares
  • Timestamps of file access

7. SRUM Parser (SRUM_Claw.py)

Parses System Resource Usage Monitor database.

Forensic Value

  • Application runtime and resource usage
  • Network connectivity data
  • Energy usage statistics

8. MFT Parser (MFT_Claw.py)

Parses the Master File Table from NTFS file systems.

Forensic Value

  • Complete file system timeline
  • File creation, modification, access times
  • Deleted file recovery
  • File attributes and permissions

9. USN Journal Parser (USN_Claw.py)

Parses the Update Sequence Number Journal.

Forensic Value

  • File system change tracking
  • File creation, deletion, renaming events
  • Detailed change reasons

10. Recycle Bin Parser (recyclebin_claw.py)

Parses Recycle Bin artifacts.

Forensic Value

  • Deleted file metadata
  • Original file paths
  • Deletion timestamps
  • File sizes

Timeline Module

Advanced timeline visualization system with OpenGL-accelerated rendering for analyzing temporal relationships between artifacts.

Architecture

The timeline module is organized into three main layers:

  • Data Layer: Manages timeline data access and querying
  • Rendering Layer: Handles visual representation with OpenGL
  • UI Layer: Provides user interaction and controls

Key Components

  • timeline_dialog.py: Main timeline dialog window
  • timeline_canvas.py: QGraphicsView-based canvas
  • timeline_config_dialog.py: Configuration and filtering
  • event_renderer.py: Event marker rendering
  • timeline_data_manager.py: Data access layer
  • zoom_manager.py: Zoom level management

Features

  • OpenGL-accelerated rendering for smooth performance
  • Multiple zoom levels (day, week, month, year)
  • Event filtering by artifact type
  • Power event markers
  • Event correlation engine
  • Progressive data loading

Data Management Layer

The data layer handles all database operations, search functionality, and data loading.

Database Architecture

Crow Eye uses SQLite databases for storing parsed artifacts:

  • Case Databases: One database per case
  • Artifact Tables: Separate tables for each artifact type
  • Indexes: Optimized for timestamp and text searches

Key Components

  • database_manager.py: Connection and transaction management
  • base_loader.py: Base class for data loaders
  • registry_loader.py: Registry-specific data loading
  • mft_loader.py: MFT data loading with virtual tables
  • usn_loader.py: USN Journal data loading
  • search_engine.py: Full-text search across artifacts
  • index_manager.py: Database index optimization

Search Capabilities

  • Full-text search across all artifacts
  • Timestamp range filtering
  • Regular expression support
  • Multi-field queries
  • Search history tracking

UI Components

The UI layer provides a cyberpunk-themed interface for interacting with forensic data.

Component Factory Pattern

The component_factory.py module creates consistent UI elements:

  • Styled tables with custom headers
  • Search and filter dialogs
  • Progress indicators
  • Custom buttons and controls

Key Dialogs

  • case_dialog.py: Case creation and management
  • search_filter_dialog.py: Advanced search interface
  • row_detail_dialog.py: Detailed artifact view
  • Loading_dialog.py: Custom loading animations

Virtual Tables

For large datasets (MFT, USN), Crow Eye uses virtual tables:

  • On-demand data loading
  • Smooth scrolling for millions of records
  • Memory-efficient rendering
  • Pagination controls