The Forensic Swiss Army Knife. Providing many useful features to leverage your forensic examination process. Standalone binaries available for Windows, Linux and macOS.
go install github.com/cuhsat/fox/v4@latest- Guaranteed read-only access
- Bidirectional character detection
- Fast Shannon entropy calculation
- Dumps Linux ELF and Windows PE/COFF executables
- String carving and classification
- Integral
grep,head,tail,hexdump,wclike abilities - Automatic Chain-of-Custody receipt generation
- Hunt mode
- Built-in file carving of Linux Journals and Windows Event Logs
- Built-in super timeline in Common Event Format
- Built-in translation of over 51600 Event IDs
- Built-in warning of critical system events
- Stream in Splunk HEC or ECS format
- Save as
JSON,JSON LinesorSQLite3
- Supports
- Over 290 string classes in Hashcat notation
- Many popular archive and compression formats
- Many popular cryptographic, fuzzy and fast hashes
Type fox --help for more help:
$ fox [MODE] [FLAGS ...] <PATHS ...>Find occurrences in event logs:
$ fox -eWinlogon ./**/*.evtxShow the MBR in canonical hex:
$ fox hex -hc512 disk.binList files with high entropy:
$ fox info -m0.9 ./**/*Find ASCII strings in binaries:
$ fox text -rw sample.exeHash the archive contents:
$ fox hash -Tmd5,sha1 files.7zHunt down suspicious events:
$ fox hunt -sxv ./**/*.ddFile formats:
evtx, journal, json, jsonl, PE/COFF (.dll, .exe, .sys, ...)
Archive formats:
7zip, ar, CAB, cpio, RAR, RPM, tar, xar, ZIP
Compression formats:
Brotli, bzip2, gzip, Kanzi, lz4, lzip, lzma, LZW, LZX, MinLZ, S2, Snappy, xz, zlib, zstd
Cryptographic hashes:
BLAKE2S-256, BLAKE2B-256, BLAKE2B-384, BLAKE2B-512, BLAKE3-256, BLAKE3-512, MD2, MD4, MD5, MD6, SHA1, SHA256, SHA512, SHA3, SHA3-224, SHA3-256, SHA3-384, SHA3-512
Performance hashes:
FNV-1, FNV-1a, Murmur3, XXH64, XXH3
Similarity hashes:
SSDeep, TLSH
Windows hashes:
LM, NT, PE
Checksums:
Adler32, CRC32-C, CRC32-IEEE, CRC64-ECMA, CRC64-ISO
This code was developed without the use of AI tooling and therefor does not contain any AI generated code or documentation. Furthermore, this code does not contain, employ or utilize AI tooling in any other form. All data processed will not be shared with third parties under any circumstances.
🦊 is released under the GPL-3.0.
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}