The Forensic Swiss Army Knife. Providing many useful features to leverage your forensic examination process. Standalone binaries available for Windows, Linux and macOS.

go install github.com/cuhsat/fox/v4@latest

Features

• Read-only access guaranteed
• Bidirectional character detection
• Fast Shannon entropy calculation
• String carving and classification
• Dump Linux ELF and Windows PE/COFF executables
• Integral grep, head, tail, hexdump, wc like abilities
• Automatic Chain-of-Custody receipt generation
• Different modes like Hunt mode
  • Built-in file carving of Linux Journals and Windows Event Logs
  • Built-in super timeline in Common Event Format
  • Built-in translation of over 51600 Event IDs
  • Built-in warning of critical system events
  • Filter events with a variety of Sigma Rules
  • Stream in Splunk HEC and Elastic ECS format
  • Save as JSON, JSON Lines or SQLite3
• Supports
  • File hash check via VirusTotal API
  • Over 290 string classes in Hashcat notation
  • Many popular archive and compression formats
  • Many popular cryptographic, fuzzy and fast hashes

Usage

Type fox --help for more help:

Usage:
  fox [MODE] [FLAGS ...] <PATHS ...>

Modes:
  cat    prints file (default)
  hex    prints file in hex format
  info   prints file infos and entropy
  text   prints file text contents
  hash   prints file hashes and checksums
  hunt   hunt suspicious activities

Examples

Find occurrences in event logs:

$ fox -eWinlogon ./**/*.evtx

Show the MBR in canonical hex:

$ fox hex -hc512 disk.bin

List files with high entropy:

$ fox info -m0.9 ./**/*

Find ASCII strings in binaries:

$ fox text -rw sample.exe

Hash the archive contents:

$ fox hash -Tssdeep files.7z

Hunt down suspicious events:

$ fox hunt -sv ./**/*.dd

Supports

File formats:

evtx, journal, json, jsonl, lnk, pf, ELF, PE/COFF (dll, exe, sys, ...)

Archive formats:

7zip, ar, CAB, cpio, RAR, RPM, tar, xar, ZIP

Compression formats:

Brotli, bzip2, gzip, Kanzi, lz4, lzip, lzma, LZW, LZX, MinLZ, S2, Snappy, xz, zlib, zstd

Cryptographic hashes:

BLAKE2S-256, BLAKE2B-256, BLAKE2B-384, BLAKE2B-512, BLAKE3-256, BLAKE3-512, MD2, MD4, MD5, MD6, SHA1, SHA256, SHA512, SHA3, SHA3-224, SHA3-256, SHA3-384, SHA3-512

Performance hashes:

FNV-1, FNV-1a, Murmur3, XXH64, XXH3

Similarity hashes:

SSDeep, TLSH

Windows hashes:

LM, NT, PE

Checksums:

Adler32, CRC32-C, CRC32-IEEE, CRC64-ECMA, CRC64-ISO

Disclaimer

This code was developed without the use of AI tooling and therefor does not contain any AI generated code or documentation. Furthermore, this code does not contain, employ or utilize AI tooling in any other form. All data processed will not be shared with third parties under any circumstances.

🦊 is released under the GPL-3.0.