Crow Eye

• ShimCache Analysis
• AmCache Parsing
• SRUM Database Insights

The development of Crow Eye is structured into three progressive phases to ensure a stable, scalable, and research-aligned forensic engine.

• 🔹 Phase 1 – Core Parsers & Timeline GUI (Current Phase)
  Implementation of SRUM, Shellbags, and enhanced Registry parsers (shellbags, BAM, Dam, Amcache, Shimcache, Network interfaces, Auto Runs and more). Develop the SQLite backend, design a PyQt5-based timeline GUI, and improve export functionality. Establish the core infrastructure for data collection and visualization.
• 🔹 Phase 2 – Correlation Engine, Evasion Detection & Plugin System
  Build a heuristic correlation engine to automatically link evidence across artifacts. Add evasion detection logic (e.g., timestamp inconsistencies, YARA scanning). Develop a plugin system for extensibility and enhance the GUI with filtering, timeline controls, and export options.
• 🔹 Phase 3 – Multi-System Support & Centralized Platform
  Expand the tool into a scalable forensic platform. Implement disk image parsing (E01/RAW), a REST API, and multi-system timeline correlation. Add centralized dashboards, SDK documentation, community tools, and cross-host investigation capabilities.

If you're interested in supporting or collaborating on any of these stages, please get in touch.

Crow Eye represents a research-centric initiative committed to redefining the methodologies employed in digital forensic analysis, particularly in the context of Windows-based environments. The project is designed to aggregate and correlate a wide range of forensic artifacts in a unified and automated manner.

Planned enhancements include support for additional Windows artifact types and the development of a correlation engine capable of associating disparate forensic data points into coherent narratives. This engine will utilize heuristic linkage techniques to identify relationships across registry data, prefetch artifacts, and system event logs, even in scenarios where metadata is incomplete or tampered with.

A timeline visualization interface is also under development, which will enable investigators to intuitively interpret user behavior, operational sequences, and potential evasion techniques. By providing chronological context, this tool will assist in reconstructing detailed digital activity profiles.

To promote transparency and community collaboration, I intend to publish comprehensive documentation detailing the internal structures of supported artifacts and the logic underpinning the correlation methodology. These publications will serve both as educational resources and as a foundation for peer validation and future academic research.

Crow Eye is developed and maintained by Ghassan Elsman as both a practical forensic tool and a research proof of concept. The project is open to collaboration and contributions. For inquiries or support, feel free to reach out:

📧 Ghassanelsman@gmail.com | 🔗 GitHub Repository | 💼 LinkedIn Profile