The Forensic Examiners Swiss Army Knife

Synopsis

Fox is a CLI tool, build to support the examination process of file based forensic artifacts, by providing the most useful features in a cross-platform standalone binary. All files will only be processed read-only. A Chain-of-Custody receipt is generated upon every output.

Features

• Restricted read-only access
• Bidirectional character detection
• String carving and automatic classification
• With over 290 classes in Hashcat notation
• Dump Fortinet binary firewall log files
• Dump Active Directory and other EDB files
• Dump Windows shortcut and prefetch files
• Dump Linux ELF and Windows PE/COFF executables
• Check IPs, URLs, Domains and files via VirusTotal
• Extract NTLM hashes from Active Directory databases
• Integral full MCP streaming server for AI agents
• Integral grep, head, tail, uniq, wc, hexdump like abilities
• Integral syntax highlighting for many different formats
• Integral fast Shannon entropy calculation
• Integral Chain-of-Custody receipt generation
• Many popular archive and compression formats
• Many popular cryptographic, fuzzy, fast and image hashes
• With man pages for every mode
• Special Hunt mode
  • Built-in log carving of Linux Journals and Windows Event Logs
  • Built-in super timeline in Common Event Format
  • Built-in translation of over 51600 event ids
  • Built-in warning of critical system events
  • Filter events with Sigma Rules syntax
  • Filter anomalies using Levenshtein distance
  • Stream in Splunk HEC and Elastic ECS format
  • Save as JSON, JSON Lines, Parquet or SQLite

Install

The fastest way to get started, is to use the go install command:

go install github.com/cuhsat/fox/v4@latest

There are also standalone binaries available:

OS	Binaries	Packages
Linux	amd | arm	apk | deb | pkg | rpm
macOs	amd | arm	brew install cuhsat/fox/fox
Windows	amd | arm	Binaries are Portable Executables

Examples

Find occurrences in event logs:

fox -eWinlogon ./**/*.evtx

Show MBR in canonical hex:

fox hex -hc512 disk.dd

Show strings in binary:

fox text -w ioc.exe

Hash archive contents:

fox hash -Amd5 files.7z

List high entropy files:

fox stat -n0.9 ./**/*

Dump NTLM hashes:

fox dump system ntds.dit

Test a suspicious file:

fox test ioc.exe

Hunt down suspicious events:

fox hunt -u *.dd

Supports

File Formats

evtx, journal, json, jsonl, lnk, pf, ELF, ESE/EDB, PE/COFF

Archive Formats

7zip, ar, CAB, CPIO, ISO, MSI, RAR, RPM, tar, xar, ZIP

Compression Formats

Brotli, bzip2, gzip, Kanzi, lz4, lzip, lzma, LZFSE, LZO, LZVN, LZW, LZX, MinLZ, S2, Snappy, xz, zlib, zstd

Cryptographic Hashes

BLAKE2S-256, BLAKE2B-256, BLAKE2B-384, BLAKE2B-512, BLAKE3-256, BLAKE3-512, GOST2012-256, GOST2012-512, HAS-160, LSH-256, LSH-512, MD2, MD4, MD5, MD6, RIPEMD-160, SHAKE128, SHAKE256, SHA1, SHA224, SHA256, SHA512, SHA3, SHA3-224, SHA3-256, SHA3-384, SHA3-512, Skein-224, Skein-256, Skein-384, Skein-512, SM3, Whirlpool

Performance Hashes

FNV-1, FNV-1a, Murmur3, RapidHash, SipHash, XXH32, XXH64, XXH3

Similarity Hashes

ImpFuzzy, ImpHash, ImpHash0, SSDeep, TLSH

Windows Specific

LM, NT, PE Checksum

Image Specific

aHash, dHash, pHash

Checksums

Adler32, Fletcher4, CRC16-CCITT, CRC32-C, CRC32-IEEE, CRC64-ECMA, CRC64-ISO

---

🦊 is released under the GPL-3.0