Skip to content
/ fox Public

The Forensic Examiners Swiss Army Knife. Providing many useful features to leverage your forensic examination process.

License

Notifications You must be signed in to change notification settings

cuhsat/fox

Repository files navigation

fox

The Forensic Examiners Swiss Army Knife. Providing many useful features to leverage your forensic examination process.

Go Report Build Release


Synopsis

Fox is a CLI tool, build to support the examination process of file based forensic artifacts, by providing the most useful features in a cross-platform standalone binary. The files will be processed in read-only manner and output uninterpreted.

Install

The fastest way to get started, is to use the go install command:

go install github.com/cuhsat/fox/v4@latest

There are also standalone binaries available:

OS Binaries Packages
Linux amd | arm amd | deb | pkg | rpm
macOs amd | arm brew install cuhsat/fox/fox
Windows amd | arm

Features

  • Restricted read-only access
  • Supports SMB 2/3 UNC paths
  • Bidirectional character detection
  • String carving and automatic classification
  • With over 290 classes in Hashcat notation
  • Dump Active Directory and other EDB files
  • Dump Windows shortcut and prefetch files
  • Dump Linux ELF and Windows PE/COFF executables
  • Check IPs, URLs, Domains and files via the VirusTotal API
  • Extract NTLM hashes from Active Directory databases
  • Integral grep, head, tail, uniq, wc, hexdump like abilities
  • Integral syntax highlighting for many different formats
  • Integral fast Shannon entropy calculation
  • Integral Chain-of-Custody receipt generation
  • Many popular archive and compression formats
  • Many popular cryptographic, fuzzy, image and fast hashes
  • Complete with man pages for every mode
  • Special Hunt mode

Examples

Find occurrences in event logs:

fox -eWinlogon ./**/*.evtx

Show MBR in canonical hex:

fox hex -hc512 disk.dd

Show strings in binary:

fox text -w ioc.exe

Hash archive contents:

fox hash -Amd5 files.7z

List high entropy files:

fox list -n0.9 ./**/*

Dump NTLM hashes:

fox dump system ntds.dit

Test a suspicious file:

fox test ioc.exe

Hunt down suspicious events:

fox hunt -sv ./**/*.dd

Supports

File Formats

evtx, journal, json, jsonl, lnk, pf, ELF, ESE/EDB, PE/COFF

Disk Formats

dd/raw, EWF-E01, EWF-S01, VHD, VHDX, VMDK

Archive Formats

7zip, ar, CAB, CPIO, ISO, RAR, RPM, tar, xar, ZIP

Compression Formats

Brotli, bzip2, gzip, Kanzi, lz4, lzip, lzma, LZFSE, LZO, LZVN, LZW, LZX, MinLZ, S2, Snappy, xz, zlib, zstd

Cryptographic Hashes

BLAKE2S-256, BLAKE2B-256, BLAKE2B-384, BLAKE2B-512, BLAKE3-256, BLAKE3-512, GOST2012-256, GOST2012-512, HAS-160, LSH-256, LSH-512, MD2, MD4, MD5, MD6, RIPEMD-160, SHAKE128, SHAKE256, SHA1, SHA224, SHA256, SHA512, SHA3, SHA3-224, SHA3-256, SHA3-384, SHA3-512, Skein-224, Skein-256, Skein-384, Skein-512, SM3, Whirlpool

Performance Hashes

djb2, FNV-1, FNV-1a, Murmur3, RapidHash, SipHash, XXH32, XXH64, XXH3

Similarity Hashes

ImpFuzzy, ImpHash, ImpHash0, SSDeep, TLSH

Windows Specific

LM, NT, PE Checksum

Image Specific

aHash, dHash, pHash

Checksums

Adler32, Fletcher4, CRC16-CCITT, CRC32-C, CRC32-IEEE, CRC64-ECMA, CRC64-ISO


🦊 is released under the GPL-3.0

About

The Forensic Examiners Swiss Army Knife. Providing many useful features to leverage your forensic examination process.

Topics

Resources

License

Security policy

Stars

Watchers

Forks

Contributors 2

  •  
  •  

Languages