Meet The Eye — Crow-Eye's AI forensics assistant for AI-powered Windows DFIR and AI cybersecurity investigations. It automates and verifies your findings, in the cloud, fully offline, or from the terminal.
Eye is a skilled Forensics Investigator with a real knowledge base of Windows forensic artifacts, grounded in Eye-describe. Built to automate and verify any hypothesis an investigator has, Eye AI is a powerful assistant — not a replacement. It empowers human analysts to validate findings faster and with higher precision across digital forensics and incident response (DFIR).
Eye AI reads raw Windows artifacts the way a seasoned analyst does — correlating execution, file, and timeline evidence to confirm or rule out a hypothesis in seconds.
No black box. Eye streams every reasoning step to the screen as it works — and records the full Eye ↔ model conversation and every context decision so you can audit exactly how a conclusion was reached.
Eye interprets your question, detects the forensic targets, and forms an investigative plan.
It pulls the relevant Windows-artifact knowledge from its grounded knowledge base.
It runs real tools — SQL, search, correlation, threat intel — against your case data.
It writes an evidence-linked conclusion under the Ghassan Elsman Protocol.
A live Eye ↔ LLM transcript shows the raw exchange, and every
context decision is written to an append-only truncation_audit.log — so the
investigator, and a court, can see precisely what the model was shown.
Eye is model-agnostic: it brings the forensic brain — RAG knowledge, the Ghassan Elsman Protocol, the toolkit, and the evidence seal — and you bring the model. Connect it to a cloud frontier model, a private local server, or an AI CLI you already use. Same investigator, your choice of engine and threat model.
Point Eye at the public frontier models you already have keys for — the most powerful reasoning for deep, complex cases, over each provider's official SDK.
Run a private model server on your workstation or a dedicated lab box. Modern JSON/REST comms like the cloud, but your evidence never leaves the network — fully air-gapped.
eye-agent)Point eye-agent at an AI command-line tool you already run — Eye drives it
for terminal-first, rapid triage and incident response.
When an incident hits, speed and certainty decide the outcome. Eye AI brings AI cybersecurity firepower to the responder's desk — triaging endpoints, surfacing program execution and lateral-movement evidence, and verifying the timeline so your team can scope and contain faster. The Eye keeps the analyst in control: every finding is evidence you can corroborate, not a black box.
Most "AI for forensics" tools bolt a chatbot onto your logs. The problem isn't answering questions — it's trusting the answer. Eye is built for evidence you can defend in court.
database:table:rowid and the exact MFT offset.
Every payload sent to the model is sealed: the SHA-256 of the exact bytes,
the token count, and per-row provenance down to
database:table:rowid and the computed MFT offset. Seals are append-only and
hash-chained — altering or removing any record breaks the chain, and the
compliance panel flags it VERIFIED or
BROKEN.
Eye measures the full payload and reserves room for the reply before it calls the model. If it would overflow, it heals on a working copy — and it will not cut corners on evidence.
Only non-evidence chat history is summarized or dropped to make room — pinned items, tool results, and evidence are protected and never touched.
If the irreducible evidence still won't fit, Eye refuses rather than quietly drop facts — every trim is logged to the audit trail.
It hands off to map-reduce — analyzing an entire MFT or USN journal in sealed chunks, every row covered exactly once.
Eye doesn't just chat — it acts. Behind every answer is a governed set of 26 real forensic tools: it queries databases, hunts artifacts, drives the Correlation Engine, pulls live threat intelligence, and writes the report — each call evidence-linked and logged. Here is everything Eye can do, grouped by job.
query_databaseRun a SQL SELECT against any forensic database. Result sets over 1,000 rows are TOON-compressed to a statistical summary plus sample rows, while the full table stays in the UI viewer.analyze_large_datasetMap-reduce an entire artifact — a full MFT, USN journal, or huge event batch — in token-sized chunks. Every row is covered exactly once and each chunk is evidence-sealed.search_artifactsGlobal literal or regex hunt across every indexed database at once — find a string, hash, IP, or pattern everywhere it appears.get_schemaIntrospect a table's columns and types. Eye calls it automatically to recover from a schema-mismatch and retry the query.list_case_filesBrowse the case directory to discover available artifacts — with path-traversal protection that keeps access inside the case root.query_correlation_resultsQuery the Crow-Eye Correlation Engine directly — by time window, by identity (user / process / file), or for case-wide statistics.correlation_create_wingAuthor a brand-new correlation rule (Wing) when it spots a recurring pattern — GEP-governed: a written reason and evidence reference are mandatory.correlation_edit_wingRefine a Wing Eye previously authored. Built-in and human-authored Wings stay strictly read-only to the agent.correlation_create_semantic_mappingTurn a raw technical value into a human-readable forensic meaning, as a single mapping or a multi-condition rule.correlation_edit_semantic_mappingEdit a mapping or rule Eye created — every change reason-stamped and appended to its edit history.query_threat_intelLook a binary or driver up against live threat-intelligence feeds to flag known-bad or vulnerable components.query_living_off_the_land_intelCheck a name against LOLBAS, LOLDrivers, LOFL (fileless), and malicious-bootloader datasets — the heart of living-off-the-land detection.internet_searchFallback web research for techniques or threats not covered by local RAG or the intel feeds.fetch_web_contentFetch a specific technical page — restricted by an SSRF-safe whitelist of trusted forensic / anatomy domains.report_append_sectionAdd a Markdown narrative section to the Living Report.report_add_data_tableInsert an interactive, sortable table populated straight from a query.report_add_chartGenerate a bar, line, or pie chart from the findings.report_add_timelineBuild a chronological event timeline of the investigation.report_add_heatmapRender an activity heatmap to expose bursts and patterns over time.report_add_chain_of_custodyEmbed the evidence and seal trail directly into the formal record.report_add_imageAttach screenshots or exhibit images with captions.report_add_chat_transcriptDocument the reasoning or investigator dialogue inside the report.report_edit_section / report_delete_sectionRefine or remove report blocks as the case evolves.export_reportExport the workspace as interactive HTML, formal PDF, or Obsidian-ready Markdown — behind a human-in-the-loop confirmation.switch_modelChange the active AI backend mid-investigation — jump between a cloud model, a local server, or a CLI agent without losing the case.Every answer Eye gives is produced twice — once as a chat reply, and once as a structured block in the case dossier. Your report writes itself as you investigate, then exports as interactive HTML, formal PDF, or Obsidian-ready Markdown (with your sign-off).
The GEP is Eye's forensic standard — a "forensic integrity boundary" enforced in code, not left to the model's goodwill. It governs both how Eye answers and how it writes, so its output is admissible by construction.
database:table:rowid reference.Eye doesn't just give answers — it keeps the receipts. Every reasoning step, tool call, and context decision is recorded and surfaced in a per-case Compliance Panel you can open, replay, and hand to a reviewer or a court.
For every question, a pass/fail on the Ghassan Elsman Protocol — was the answer evidence-linked and specific?
The hash-chained SHA-256 seal of every payload the model saw, with a VERIFIED / BROKEN integrity check and a "view full payload" drill-down.
Every context decision logged: PRESERVED · SUMMARIZED · TRUNCATED · PINNED ·
REFUSED_OVERFLOW — processed vs dropped, in full.
The ordered timeline of what Eye actually did — each tool invocation and decision, step by step.
The full raw conversation between Eye and the model — exactly what was asked and answered.
A chronological record of the whole investigation, so the case can be reconstructed end to end.
None of it is in-memory only. Every record is written to append-only EYE_Logs/ files on disk:
Beyond the headline features, Eye is built with the details that matter when a real investigation is on the line.
Eye never reports a single artifact in isolation — it cross-references Amcache, Prefetch, MFT, Registry and more, and rests its conclusion on where they agree, stay silent, or conflict.
A strict token economy splits Eye's limited "memory" across the system prompt, RAG knowledge, history, and tools — so the evidence and instructions that matter are never starved.
Query a million rows and Eye won't choke — over 1,000 rows it sends the model a statistical summary plus samples (TOON compression) while you keep the full table in the viewer.
An intent engine reads your question and pulls the right artifacts and knowledge before the model even runs — so answers stay focused on the forensic goal.
Hit a rate limit or quota and Eye keeps going — it offers alternative models to resume the session instantly, and pools backend connections to keep requests fast.
Already have forensic HTML reports? Eye parses them back into the Living Report Workspace — tables, charts and all — so prior work folds into the case.
API keys live in the OS keychain (never in files); file access is path-traversal protected and web fetches are SSRF-whitelisted to trusted forensic domains.
Open a case and Eye can auto-build a Master Forensic Triage Report — charts, tables and a baseline narrative — under the GEP, before you ask a single question.
Sophisticated intrusions and APT campaigns rarely live in a single artifact. They hide in the relationships between them — a logon here, an execution there, a file touched minutes later. That's exactly what Crow-Eye's Correlation Engine exists to find.
Eye queries the engine directly — by time window, by identity (user / process / file), and for case-wide statistics — chaining anchors across Feathers to reconstruct a multi-stage attack timeline.
When Eye spots a recurring pattern, it can author a new Wing or Semantic Mapping — capturing the correlation so it speeds every future case. Each authored rule is evidence-linked and Eye-stamped under the GEP.
Signature and single-artifact tools miss the quiet, patient tradecraft of APTs. Behavioral, cross-artifact correlation helps surface the activity that was designed to stay undetected — for a human analyst to confirm.
Adversaries already use AI to scale phishing, generate malware, and obfuscate their tracks. Eye puts that same power on the defender's side — reasoning over sealed, evidence-linked data, cross-referencing binaries against live living-off-the-land intelligence (LOLBAS, LOLDrivers, LOFL, and malicious bootloaders), and correlating behavior to help analysts catch novel and AI-accelerated intrusions faster. The human stays in command — Eye is an assistant, not a replacement.
Powerful forensics shouldn't be locked behind enterprise licenses. Crow-Eye and Eye AI are free and open-source (GPL-3.0) and run fully offline — so any researcher, academic, or privacy advocate can investigate what software actually does on a system. Use it to verify undisclosed telemetry, hidden data collection, or covert persistence, document it with court-grade evidence, and help hold software accountable to the people who run it.
The quick answers investigators ask most about Crow-Eye's AI forensics assistant.
Eye AI ("The Eye") is Crow-Eye's forensics AI assistant. It lets investigators query and analyze Windows forensic artifacts in plain language, then writes an evidence-linked report — acting as a powerful assistant to a human analyst, not a replacement.
Yes. Eye is model-agnostic: run it on a fully offline local AI server (Ollama or LM Studio) or a terminal CLI agent, so sensitive evidence never leaves your network.
Cloud models (OpenAI, Anthropic Claude, Google Gemini), local servers (Ollama, LM Studio), and AI command-line agents you already use (Claude Code, Gemini CLI, ChatGPT CLI, Llama.cpp, and more) — switchable mid-investigation.
Yes — Crow-Eye and Eye AI are free and open-source under GPL-3.0, available to any researcher or investigator.
Eye is built to be court-defensible: every payload is sealed (SHA-256, hash-chained), every claim ties to a real database record, it refuses to silently drop evidence, and it surfaces a full compliance and chain-of-custody trail — not unverifiable answers.
The GEP is Eye's forensic standard, enforced in code: answers must be chronological, specific, evidence-linked, and cross-source corroborated, and any rule Eye authors must carry a reason and evidence reference — so its output is admissible by construction.
Bring AI-powered forensics to your investigations. Download Crow-Eye and put The Eye to work.
Download Crow-Eye