v0.8.0

v0.8.0: The "Full Spectrum" Update

We are proud to announce the release of v0.8.0, a transformative update that completes the forensic lifecycle within Crow-eye. This version introduces the Crow-Claw acquisition engine and a powerful Offline Importer, shifting Crow-eye from a live parser tool to a comprehensive forensic analysis platform.

Crow-Claw Acquisition Engine

• Automated Preservation: Collect and preserve Windows artifacts from live systems or mounted images with forensic integrity.
• Deep Directory Scanning: Automatically identifies forensic traces across complex directory structures.
• Structured Output: Artifacts are now organized into type-specific folders (Registry, Prefetch, Event Logs) for easy review.

Offline Importer & Scan Index

• Universal Input: Analyze artifacts from any source—external drives, network shares, or previous collections.
• (SCAN): Instantly identify and index thousands of artifacts using forensic without copying files.
• Selective Collection (COLLECT): Choose specifically which artifacts to bring into your case, saving .
• Granular Parsing: A new multi-tab dialog allows you to review and select individual files for deep parsing into the forensic database.

Engine & Parser Enhancements

• LNK/JL Performance: Implemented silent parsing, milestone progress logging, and more robust Unicode decoding for resilient data extraction.
• MFT/USN Optimization: Added bulk-insert PRAGMA tweaks for massive speed gains and clearer exit codes for automated workflows.
• Correlator Upgrades: Enhanced mft_usn_correlator now handles parser failures gracefully and verifies database integrity before processing.

UI & UX Improvements

• Threaded UI: Resolved the "Loading Dialog" freezing issue. Heavy indexing and collection operations now run on background threads, keeping the interface

v0.7.3

Major enhancements to Time-Window Engine correlation and timestamp detection
Enhancing the performance and the GUI of the time engine
moving the Partition analyzer to the Artifact collectors

Full Changelog: v0.7.2...0.7.3

v0.7.2

What's Changed

Improve GUI performance, Enhanced execution control and add a helper to search multiple semantic data formats
Full Changelog: V0.7.1...v0.7.2

• feat: move ifs to dict + fix grammar in naming by @secretlay3r in #11

New Contributors

• @secretlay3r made their first contribution in #11

Full Changelog: V0.7.1...v0.7.2

V0.7.1

Full Changelog: V0.7.0...V0.7.1

• Semantic Intelligence & Field Mapping
  The Semantic Mapping system has been completely rebuilt into a contextual intelligence layer.
  • Field Alias Matching (FTS5): Uses SQLite FTS5 for fast, fuzzy, and robust field name lookups, ensuring different tools' data can be mapped to standardized forensic concepts.
  Advanced Logic: Supports complex AND/OR logic and confidence scoring for each rule

• Artifact Type Registry: A centralized, JSON-driven system that provides a single source of truth for all artifact metadata, eliminating duplicate lists across 10+ files

• Hierarchical Weight Precedence: A strict new resolution order ensures weight settings are predictable: Wing-specific > Case-specific > Global > Default Fallback

• Enhanced Results Viewers: New production-ready viewers for both engines include Semantic Columns, hierarchical grouping (Window → Feather → Evidence), and pagination for large datasets

• Metadata-Optional Processing: The engine now automatically detects artifact types using a priority list (Metadata → Table Names → Filename), allowing for the import of databases from third-party tools without manual setup

V0.7.0

Full Changelog: 0.6.2...V0.7.0
Add Correlation Engine with comprehensive documentation
Major Features:

• Introduce dual-engine correlation system (Time-Based and Identity-Based)
• Add universal data import supporting CSV/JSON/SQLite from any forensic tool
• Implement Feather normalization system for standardized artifact storage
• Add Wings correlation rules system with configurable parameters
• Implement Pipeline orchestration for automated workflows
• Add cyberpunk-styled GUI for correlation visualization

Correlation Engine Components:

• Time-Based Engine: O(N²) comprehensive field-level correlation
• Identity-Based Engine: O(N log N) scalable identity tracking with streaming
• Feather Builder: Universal forensic data normalization
• Wings System: Flexible correlation rule definitions
• Pipeline Executor: Automated multi-artifact correlation workflows
• Results Viewer: Interactive visualization

Documentation (~7,200 lines):

• Add Correlation Engine Overview with architecture diagrams
• Add comprehensive Engine Documentation with selection guide
• Add Architecture Documentation with component integration
• Add Feather, Wings, and Pipeline documentation
• Add dedicated Correlation Engine Contributing Guide
• Update main README with Correlation Engine section
• Update main CONTRIBUTING.md highlighting Correlation Engine priority

Performance:

• Identity-Based Engine: Process 100K records in 2.5 min with streaming
• Time-Based Engine: Optimized for datasets < 1,000 records
• Constant memory usage with streaming mode for large datasets

0.6.2

Enchantment to solve compatibility issues for EXE Version
Full Changelog: 0.6.1...0.6.2

0.6.1

Enhancement to case management ,bug fixes for Registry parsing and enhancement to detect and parse Windows partitions
Full Changelog: 0.6.0...0.6.1

Crow-Eye v0.6.0 – Hidden Partitions, Dual-Boot & Live USB Detection Added with EXE stand alone file

Add support for Disks & Partitions
Add Registry users profiles
Enhancement to the search engine
Full Changelog: 0.5.1...0.6.0
Add Crow-Eye.exe Stand alone file

0.5.1

Enhanced Database Search Engine

0.5.0

Overview

Crow Eye v0.5.0 introduces significant enhancements to forensic analysis capabilities, focusing on improved artifact parsing, search functionality, and timeline visualization .

Key New Features

• New Search Engine : A powerful, full-text search system for efficient querying across all artifacts, with support for advanced filtering and natural language input to assist non-technical users.
• Timeline Correlation Dialog : Interactive dialog for visualizing and correlating forensic events in a timeline view.
• ShellBags Parsing : Added parsing for ShellBags artifacts, extracting folder access history, views, and timestamps to reveal user navigation patterns.
• SRUM Parsing : New parser for System Resource Usage Monitor (SRUM), capturing app resource usage, network activity, energy consumption, and execution data.
• MRU and Recent Docs Binary Parsing Enhancements : Improved binary parsing for Most Recently Used (MRU) lists and Recent Documents, with better handling of typed paths, Open/Save history, and recent files across Windows versions. Includes error handling and output in SQLite + JSON formats. Improvements and Fixes

Notes

• Offline Analysis : Still under development for some artifacts—use with caution and report issues.
• Contributions : We welcome pull requests for additional correlations or parsers. Contact ghassanelsman@gmail.com for collaboration.