Name: Crow Eye
Author: Ghassan Elsman

Key Features

Live & Offline Modes

Analyze artifacts directly from the running system or imported from an offline image or backup directory.

SQLite-Driven Architecture

All artifact data is parsed into a normalized SQLite database for structured queries, filtering, and exporting.

Graphical User Interface

Intuitive GUI built with PyQt5 and Streamlit simplifies interaction and reduces reliance on command-line operations.

Export Options

Export parsed results in CSV and JSON formats for integration with other tools or reporting systems.

⬇ Download Crow Eye

Parsed Artifacts

Registry Data

Includes user auto-runs, machine startup programs, last shutdown, time zone, and more.

Prefetch Files

Collects run count, executable names, timestamps, volume information, and access patterns.

Jump Lists & LNK

Details file access via shortcuts, including metadata, timestamps, source and target paths.

Event Logs

Parses Application, System, and Security logs into structured and queryable format.

      Under Development:
      ShimCache Analysis
AmCache Parsing
SRUM Database Insights

    

Research & Vision

Crow Eye represents a research-centric initiative committed to redefining the methodologies employed in digital forensic analysis, particularly in the context of Windows-based environments. The project is designed to aggregate and correlate a wide range of forensic artifacts in a unified and automated manner.

Planned enhancements include support for additional Windows artifact types and the development of a correlation engine capable of associating disparate forensic data points into coherent narratives. This engine will utilize heuristic linkage techniques to identify relationships across registry data, prefetch artifacts, and system event logs, even in scenarios where metadata is incomplete or tampered with.

A timeline visualization interface is also under development, which will enable investigators to intuitively interpret user behavior, operational sequences, and potential evasion techniques. By providing chronological context, this tool will assist in reconstructing detailed digital activity profiles.

To promote transparency and community collaboration, I intend to publish comprehensive documentation detailing the internal structures of supported artifacts and the logic underpinning the correlation methodology. These publications will serve both as educational resources and as a foundation for peer validation and future academic research.

About the Developer

Crow Eye is developed and maintained by Ghassan Elsman as both a practical forensic tool and a research proof of concept. The project is open to collaboration and contributions. For inquiries or support, feel free to reach out:

📧 Ghassanelsman@gmail.com | 🔗 GitHub Repository | 💼 LinkedIn Profile