Get it on Linux
go install github.com/cuhsat/fox/v4@latestGet it on macOS
brew install cuhsat/fox/fox- Restricted read-only access
- Bidirectional character detection
- Fast Shannon entropy calculation
- String carving and automatic classification
- With over 290 classes in Hashcat notation
- Dump Active Directory and other EDB files
- Dump Windows shortcut and prefetch files
- Dump Linux ELF and Windows PE/COFF executables
- Check IPs, URLs, Domains and files via the VirusTotal API
- Extract NTLM hashes from Active Directory databases
- Integral
grep,head,tail,uniq,wc,hexdumplike abilities - Integral syntax highlighting for many different formats
- Integral Chain-of-Custody receipt generation
- Many popular archive and compression formats
- Many popular cryptographic, fuzzy, image and fast hashes
- Complete with man pages for every mode
- Special Hunt mode
- Built-in support for EnCase EWF, VHDX, VMDK and raw disks
- Built-in log carving of Linux Journals and Windows Event Logs
- Built-in super timeline in Common Event Format
- Built-in translation of over 51600 event ids
- Built-in warning of critical system events
- Filter events with Sigma Rules syntax
- Filter anomalies using Levenshtein distance
- Stream in Splunk HEC and Elastic ECS format
- Save as
JSON,JSON Lines,ParquetorSQLite3
Find occurrences in event logs:
fox -eWinlogon ./**/*.evtxShow MBR in canonical hex:
fox hex -hc512 disk.ddShow strings in binary:
fox text -w ioc.exeHash archive contents:
fox hash -Amd5 files.7zList high entropy files:
fox list -n0.9 ./**/*Dump NTLM hashes:
fox dump system ntds.ditTest a suspicious file:
fox test ioc.exeHunt down suspicious events:
fox hunt -sv ./**/*.ddFile Formats
evtx, journal, json, jsonl, lnk, pf, ELF, ESE/EDB, PE/COFF
Disk Formats
dd/raw, EWF-E01, EWF-S01, VHD, VHDX, VMDK
Archive Formats
7zip, ar, CAB, CPIO, ISO, RAR, RPM, tar, xar, ZIP
Compression Formats
Brotli, bzip2, gzip, Kanzi, lz4, lzip, lzma, LZFSE, LZO, LZVN, LZW, LZX, MinLZ, S2, Snappy, xz, zlib, zstd
Cryptographic Hashes
BLAKE2S-256, BLAKE2B-256, BLAKE2B-384, BLAKE2B-512, BLAKE3-256, BLAKE3-512, HAS-160, LSH-256, LSH-512, MD2, MD4, MD5, MD6, RIPEMD-160, SHAKE128, SHAKE256, SHA1, SHA224, SHA256, SHA512, SHA3, SHA3-224, SHA3-256, SHA3-384, SHA3-512, SM3, Whirlpool
Performance Hashes
FNV-1, FNV-1a, Murmur3, SipHash, XXH32, XXH64, XXH3
Similarity Hashes
ImpHash, ImpHash0, SSDeep, TLSH
Windows Specific
LM, NT, PE Checksum
Image Specific
aHash, dHash, pHash
Checksums
Adler32, Fletcher4, CRC32-C, CRC32-IEEE, CRC64-ECMA, CRC64-ISO
Disclaimer: This code was developed without the use of AI tooling and therefor does not contain any AI generated code, test nor documentation. Furthermore, this code does not contain, employ or utilize AI tools in any other form. All data processed will not be shared with third parties.
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}