The Forensic Examiners Swiss Army Knife

Abstract

Fox is a CLI tool, build to support the examination process of file based forensic artifacts, by providing the most useful features in a cross-platform standalone binary. As with any Swiss Army knife, there are many specific power tools that offer more in-depth functionality, but sometimes all you need is a simple screwdriver.

Features

• Restricted read-only access
• Bidirectional character detection
• String carving and automatic classification
• With over 290 classes in Hashcat notation
• Parse Fortinet binary firewall log files
• Parse Active Directory and other EDB files
• Parse Windows shortcut and prefetch files
• Parse Linux ELF and Windows PE/COFF executables
• Check IPs, URLs, domains and files via VirusTotal API
• Check accounts for breaches via Have I Been Pwned API
• Extract NTLM hashes from Active Directory databases
• Integral grep, head, tail, uniq, wc, hexdump like abilities
• Integral syntax highlighting for many different formats
• Integral fast Shannon entropy calculation
• Integral Chain-of-Custody receipt generation
• Many popular archive and compression formats
• Many popular cryptographic, image, fuzzy and fast hashes
• With man pages for every command
• Special Hunt command
  • Built-in log carving of Linux Journals and Windows Event Logs
  • Built-in super timeline in Common Event Format
  • Built-in translation of over 51600 event ids
  • Built-in warning of critical system events
  • Filter events with Sigma Rules syntax
  • Filter anomalies using Levenshtein distance
  • Stream in Splunk HEC and Elastic ECS format
  • Save as JSON, JSON Lines, Parquet or SQLite

Install

The fastest way to get started, is to use the go install command:

go install github.com/cuhsat/fox/v4@latest

There are also standalone binaries available:

OS	Binaries	Packages
Linux	amd | arm	apk | deb | pkg | rpm
macOs	amd | arm	brew install cuhsat/fox/fox
Windows	amd | arm	Binaries are portable executables

Examples

Find occurrences in event logs:

fox -eWinlogon ./**/*.evtx

Show MBR in canonical hex:

fox hex -hc512 disk.dd

Show all strings in a binary:

fox str -w sample.exe

List only high entropy files:

fox stat -n0.8 ./**/*

Hash archive contents as MD5:

fox hash -Amd5 files.7z

Check a suspicious file by hash:

fox check sample.exe

Dump NTLM hashes from database:

fox dump system ntds.dit

Hunt down critical events:

fox hunt -u *.dd

Supports

File Formats

evtx, journal, json, jsonl, lnk, pf, ELF, ESE/EDB, PE/COFF

Archive Formats

7zip, ar, CAB, CPIO, ISO, MSI, RAR, RPM, tar, xar, ZIP

Compression Formats

BGZF, Brotli, bzip2, gzip, Kanzi, lz4, lzip, lzma, LZFSE, LZO, LZVN, LZW, LZX, MinLZ, S2, Snappy, xz, zlib, zstd

Cryptographic Hashes

BLAKE2S-256, BLAKE2B-256, BLAKE2B-384, BLAKE2B-512, BLAKE3-256, BLAKE3-512, GOST2012-256, GOST2012-512, HAS-160, LSH-256, LSH-512, MD2, MD4, MD5, MD6, RIPEMD-160, SHAKE128, SHAKE256, SHA1, SHA224, SHA256, SHA512, SHA3, SHA3-224, SHA3-256, SHA3-384, SHA3-512, Skein-224, Skein-256, Skein-384, Skein-512, SM3, Whirlpool

Performance Hashes

FNV-1, FNV-1a, Murmur3, RapidHash, SipHash, XXH32, XXH64, XXH3

Perceptual Hashes

Average, Difference, Median, PHash, WHash, MarrHildreth, BlockMean, PDQ, RASH

Similarity Hashes

ImpFuzzy, ImpHash, ImpHash0, SSDeep, TLSH

Windows Algorithms

LM, NT, PE Checksum

Checksums

Adler32, Fletcher4, CRC16-CCITT, CRC32-C, CRC32-IEEE, CRC64-ECMA, CRC64-ISO

---

🦊 is released under the GPL-3.0