Skip to content

Releases: AppliedIR/wintools-mcp

v0.6.1

16 Apr 14:06
@scriptedstatement scriptedstatement
v0.6.1
2761689

Choose a tag to compare

View all tags
v0.6.1 Latest
Latest

What's New

  • Per-artifact provenance grading with evidence chain display in Examiner Portal
  • Provenance chain tooltips — hover any chain step for full audit detail (command, timing, input files, SHA-256)
  • vhir restore — restore cases from backup including OpenSearch indices
  • OpenSearch backup via vhir backup --include-opensearch
  • Interactive vhir case init prompts when run with no arguments
  • Wintools watchdog with automatic restart on crash

Bug Fixes

  • Masquerade detection scoped to curated system binaries, reducing false positives
  • Evidence staging — VHDX/container evidence auto-staged to SMB share for wintools access
  • Plaso --storage_file argument compatibility
  • Config file permissions on samba.yaml/network.yaml
  • Typosquatting false positives on short filenames
  • Audit ID regex now supports hyphenated examiner names
  • Case_id cache invalidation on mid-session case switch
  • EVTX-only directory ingest crash (UnboundLocalError)

Existing Installs

Run vhir update — pulls new code, reinstalls packages, restarts gateway. No migration needed.

Full Changelog: v0.6.0...v0.6.1

Assets 2
Loading

v0.6.0

07 Apr 14:35
@scriptedstatement scriptedstatement
v0.6.0
00b8508

Choose a tag to compare

View all tags
v0.6.0

What's New

  • opensearch-mcp: programmatic ingestion of major forensic artifacts into OpenSearch, reducing LLM token usage while providing structured access to processed evidence
  • Improved forensic knowledge guidance and MCP response hints to assist the LLM throughout the investigation
  • Gateway stability enhancements for automatic recovery from dropped backend sessions
  • Bug fixes across all repos

Full Changelog: v0.5.4...v0.6.0

Loading

v0.5.4

27 Mar 22:58
@scriptedstatement scriptedstatement
v0.5.4
3433f71

Choose a tag to compare

View all tags
v0.5.4

Full Changelog: v0.5.3...v0.5.4

Loading

v0.5.3

21 Mar 15:58
@scriptedstatement scriptedstatement
v0.5.3
d999dbe

Choose a tag to compare

View all tags
v0.5.3

What's New

Provenance Support

  • run_command gains input_files parameter for provenance chain linking
  • Input detection cascade: LLM-provided → catalog auto-detect → parsed tokens
  • Per-file SHA-256 hashing with 1GB cap
  • result_summary now includes output_file, output_sha256, stdout_bytes, stdout_head for provenance chain walking

Audit Fixes

  • audit.log() returns None on write failure (matches sift-common behavior)
  • Audit dir fallback: invalid AIIR_CASE_DIR falls through to ~/.aiir/active_case (matches sift-common)

Documentation

  • Clear Disclosure section added to README

Full Changelog: v0.5.2...v0.5.3

Loading

v0.5.2

16 Mar 21:58
@scriptedstatement scriptedstatement
v0.5.2
4e20e20

Choose a tag to compare

View all tags
v0.5.2

Resilience fixes, sanitization alignment, examiner deferral.

Loading

v0.5.1

02 Mar 09:21
@scriptedstatement scriptedstatement
v0.5.1
e02074f

Choose a tag to compare

View all tags
v0.5.1

Full Changelog: v0.5.0...v0.5.1

Loading

v0.5.0

28 Feb 05:15
@scriptedstatement scriptedstatement
v0.5.0
42450e3

Choose a tag to compare

View all tags
v0.5.0

Initial release.

Loading