The Forensic Swiss Army Knife. Providing many useful features to leverage your forensic examination process. Standalone binaries available for Windows, Linux and macOS.

go install github.com/cuhsat/fox/v4@latest

• Guaranteed read-only access
• Bidirectional character detection
• Fast Shannon entropy calculation
• Dumping of Windows PE/COFF executables
• String carving and classification
• Integral grep, head, tail, hexdump, wc like abilities
• Automatic Chain-of-Custody receipt generation
• Hunt mode
  • Built-in file carving of Linux Journals and Windows Event Logs
  • Built-in super timeline in Common Event Format
  • Built-in translation list of over 51600 Event IDs
  • Built-in warning of critical system events
  • Stream in Splunk HEC or ECS format
  • Save as JSON, JSON Lines or SQLite3
• Supports
  • Over 290 string classes in Hashcat notation
  • Many popular archive and compression formats
  • Many popular cryptographic, fuzzy and fast hashes

Type fox --help for more help:

$ fox [MODE] [FLAGS ...] <PATHS ...>

Find occurrences in event logs:

$ fox -eWinlogon ./**/*.evtx

Show the MBR in canonical hex:

$ fox hex -mc -hc512 disk.bin

List files with high entropy:

$ fox info -m0.9 ./**/*

Find ASCII strings in binaries:

$ fox text -rw sample.exe

Hash the archive contents:

$ fox hash -Tmd5,sha1 files.7z

Hunt down suspicious events:

$ fox hunt -sxv ./**/*.dd

File formats:

evtx, journal, JSON, JSONL, PE/COFF

Archive formats:

7zip, ar, CAB, cpio, RAR, RPM, tar, xar, ZIP

Compression formats:

Brotli, bzip2, gzip, Kanzi, lz4, lzip, lzma, LZW, LZX, MinLZ, S2, Snappy, xz, zlib, zstd

Cryptographic hashes:

MD2, MD4, MD5, MD6, SHA1, SHA256, SHA3, SHA3-224, SHA3-256, SHA3-384, SHA3-512

Performance hashes:

XXH64, XXH3

Similarity hashes:

SSDeep, TLSH

Windows hashes:

LM, NT, PE

Checksums:

ADLER32, CRC32-C, CRC32-IEEE, CRC64-ECMA, CRC64-ISO

🦊 is released under the GPL-3.0