The Forensic Examiners Swiss Army Knife. Providing many useful features to leverage your forensic examination process.

Synopsis

Fox is a CLI tool, build to support the examination process of file based forensic artifacts, by providing the most useful features in a cross-platform standalone binary. The files will be processed in read-only manner and output uninterpreted.

Install

The fastest way to get started, is to use the go install command:

go install github.com/cuhsat/fox/v4@latest

There are also standalone binaries available:

OS	Binaries	Packages
Linux	amd | arm	amd | deb | pkg | rpm
macOs	amd | arm	brew install cuhsat/fox/fox
Windows	amd | arm

Features

• Restricted read-only access
• Supports SMB 2/3 UNC paths
• Bidirectional character detection
• String carving and automatic classification
• With over 290 classes in Hashcat notation
• Dump Active Directory and other EDB files
• Dump Windows shortcut and prefetch files
• Dump Linux ELF and Windows PE/COFF executables
• Check IPs, URLs, Domains and files via the VirusTotal API
• Extract NTLM hashes from Active Directory databases
• Integral grep, head, tail, uniq, wc, hexdump like abilities
• Integral syntax highlighting for many different formats
• Integral fast Shannon entropy calculation
• Integral Chain-of-Custody receipt generation
• Many popular archive and compression formats
• Many popular cryptographic, fuzzy, image and fast hashes
• Complete with man pages for every mode
• Special Hunt mode
  • Built-in support for EnCase EWF, VHDX, VMDK and raw disks
  • Built-in log carving of Linux Journals and Windows Event Logs
  • Built-in super timeline in Common Event Format
  • Built-in translation of over 51600 event ids
  • Built-in warning of critical system events
  • Filter events with Sigma Rules syntax
  • Filter anomalies using Levenshtein distance
  • Stream in Splunk HEC and Elastic ECS format
  • Save as JSON, JSON Lines, Parquet or SQLite

Examples

Find occurrences in event logs:

fox -eWinlogon ./**/*.evtx

Show MBR in canonical hex:

fox hex -hc512 disk.dd

Show strings in binary:

fox text -w ioc.exe

Hash archive contents:

fox hash -Amd5 files.7z

List high entropy files:

fox list -n0.9 ./**/*

Dump NTLM hashes:

fox dump system ntds.dit

Test a suspicious file:

fox test ioc.exe

Hunt down suspicious events:

fox hunt -sv ./**/*.dd

Supports

File Formats

evtx, journal, json, jsonl, lnk, pf, ELF, ESE/EDB, PE/COFF

Disk Formats

dd/raw, EWF-E01, EWF-S01, VHD, VHDX, VMDK

Archive Formats

7zip, ar, CAB, CPIO, ISO, RAR, RPM, tar, xar, ZIP

Compression Formats

Brotli, bzip2, gzip, Kanzi, lz4, lzip, lzma, LZFSE, LZO, LZVN, LZW, LZX, MinLZ, S2, Snappy, xz, zlib, zstd

Cryptographic Hashes

BLAKE2S-256, BLAKE2B-256, BLAKE2B-384, BLAKE2B-512, BLAKE3-256, BLAKE3-512, GOST2012-256, GOST2012-512, HAS-160, LSH-256, LSH-512, MD2, MD4, MD5, MD6, RIPEMD-160, SHAKE128, SHAKE256, SHA1, SHA224, SHA256, SHA512, SHA3, SHA3-224, SHA3-256, SHA3-384, SHA3-512, Skein-224, Skein-256, Skein-384, Skein-512, SM3, Whirlpool

Performance Hashes

djb2, FNV-1, FNV-1a, Murmur3, RapidHash, SipHash, XXH32, XXH64, XXH3

Similarity Hashes

ImpFuzzy, ImpHash, ImpHash0, SSDeep, TLSH

Windows Specific

LM, NT, PE Checksum

Image Specific

aHash, dHash, pHash

Checksums

Adler32, Fletcher4, CRC16-CCITT, CRC32-C, CRC32-IEEE, CRC64-ECMA, CRC64-ISO

---

🦊 is released under the GPL-3.0