The Forensic Examiners Swiss Army Knife
Fox is a powerful CLI tool, built to support the examination process of file-based forensic artifacts. It provides a wide spectrum of forensic capabilities in a cross-platform standalone binary.
- Restricted read-only access
- Bidirectional character detection
- String carving and automatic classification
- With 290+ classes in Hashcat notation
- Parse Fortinet binary firewall logs
- Parse Active Directory and other EDB files
- Parse NTFS MFT, LNK, PF, PST binary files
- Parse Linux ELF and Windows PE/COFF executables
- Extract Active Directory hashes, users, groups, computers
- Lookup NTLM hashes using 210000+ entry wordlists
- Lookup URLs, IPs, domains and files via the VirusTotal API
- Integral
grep,head,tail,uniq,wc,hexdumplike abilities - Integral syntax highlighting for many different formats
- Integral fast Shannon entropy calculation
- Integral Chain-of-Custody receipt generation
- Support of path globbing and file streams
- Support of encrypted
7z,Rar,Ziparchives - Many popular archive and compression formats
- Many popular cryptographic, image, fuzzy and fast hashes
- With man pages for every command
- Advanced Hunt command
- Built-in log carving of Linux Journals and Windows Event Logs
- Built-in super timeline in Common Event Format
- Built-in translation of 51600+ event ids
- Built-in warning of critical system events
- Filter events with Sigma Rules syntax
- Filter anomalies using Levenshtein distance
- Stream events in Splunk or Elastic format
- Stream events using HTTPS or MQTT protocol
- Save as
JSON,JSON LinesorParquet
Install the development version directly via go:
go install go.foxforensics.eu/fox/v4@latestStandalone binaries and packages are available for:
| OS | Binaries | Packages |
|---|---|---|
| Linux | amd | arm | apk | deb | pkg | rpm |
| macOs | amd | arm | brew install foxforensics/fox/fox |
| Windows | amd | arm | Binaries are standalone executables |
Find occurrences in event logs:
fox -FWinlogon ./**/*.evtxShow MBR in canonical hex:
fox -L512b image.ddShow NTLM password hashes:
fox ad -hl NTDS.dit SYSTEMShow all strings in a binary:
fox str -w sample.exeList only high entropy files:
fox info -N6.0 ./**/*Hash archive contents as MD5:
fox hash -Hmd5 files.7zHunt down critical events:
fox hunt -u *.ddAD Records
NTLM, Users, Groups, Computers
Log Formats
EVTX, Journal, Fortigate
Binary Formats
PE / COFF, ELF, ESE / EDB, MFT, LNK, PF, PST
Archive Formats
7-Zip, AR, CAB, CFB, CPIO, ISO, MSI, RAR, RPM, TAR, XAR, ZIP
Compression Formats
BGZF, Brotli, Bzip2, Gzip, Kanzi, LZ4, Lzip, LZMA, LZFSE, LZNT1, LZO, LZVN, LZW, LZX, MinLZ, S2, Snappy, XZ, zlib, zstd
Cryptographic Hashes
BLAKE2S-256, BLAKE2B-256, BLAKE2B-384, BLAKE2B-512, BLAKE3-256, BLAKE3-512, GOST2012-256, GOST2012-512, HAS-160, LSH-256, LSH-512, MD2, MD4, MD5, MD6, RIPEMD-160, SHAKE128, SHAKE256, SHA1, SHA224, SHA256, SHA512, SHA3, SHA3-224, SHA3-256, SHA3-384, SHA3-512, Skein-224, Skein-256, Skein-384, Skein-512, SM3, Whirlpool
Performance Hashes
DJB2, FNV-1, FNV-1a, Murmur3, RapidHash, SipHash, XXH32, XXH64, XXH3
Perceptual Hashes
Average, Difference, Median, PHash, WHash, MarrHildreth, BlockMean, PDQ, RASH
Similarity Hashes
ImpFuzzy, ImpHashO, ImpHashS, sdhash, SSDeep, TLSH
Windows Specific
LM, NT, PE
Unix Specific
BSD, ELF, SYSV
Checksums
Adler32, Fletcher4, Luhn, CRC16-CCITT, CRC32-C, CRC32-K, CRC32-IEEE, CRC64-ECMA, CRC64-ISO
Wordlists
English / German / French / Spanish Common Passwords, Most Common Passwords, Most Used Passwords, Default Passwords, Corporate Passwords, Production Passwords, Milw0rm Dictionary, Conficker Dictionary, Medical Devices, Seasons
To build the lastest development version execute:
go build && fox --version🦊 is released under the GPL-3.0. All code is entirely written by human authors.