foxforensics/fox

GitHub: foxforensics/fox

Stars: 1 | Forks: 0

The Forensic Examiners Swiss Army Knife

[![Report](https://goreportcard.com/badge/github.com/foxforensics/fox/v4?style=for-the-badge)](https://goreportcard.com/report/github.com/foxforensics/fox/v4) [![Build](https://img.shields.io/github/actions/workflow/status/foxforensics/fox/tests.yaml?style=for-the-badge&label=build)](https://github.com/foxforensics/fox/actions) [![Release](https://img.shields.io/github/release/foxforensics/fox.svg?style=for-the-badge&label=release)](https://github.com/foxforensics/fox/releases)

![Terminal](https://static.pigsec.cn/wp-content/uploads/repos/2026/05/eebf53b799173302.png) ## Abstract ## Features * [x] Restricted read-only access * [x] [Bidirectional character](https://nvd.nist.gov/vuln/detail/CVE-2021-42574) detection * [x] String carving and automatic classification * [x] With 290+ classes in [Hashcat](https://hashcat.net/wiki/doku.php?id=example_hashes) notation * [x] Parse Fortinet binary firewall logs * [x] Parse Active Directory and other [EDB](https://learn.microsoft.com/en-us/windows/win32/extensible-storage-engine/extensible-storage-engine) files * [x] Parse [NFTS MFT](https://ntfs.com/ntfs-mft.htm), Shortcut and Prefetch files * [x] Parse [Linux ELF](https://refspecs.linuxfoundation.org/elf/elf.pdf) and [Windows PE/COFF](https://learn.microsoft.com/en-us/windows/win32/debug/pe-format) executables * [x] Extract [Active Directory](https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/ntlm-user-authentication) hashes, users, groups, computers * [x] Lookup NTLM hashes using 210000+ entry rainbow table * [x] Lookup URLs, IPs, domains and files via the [VirusTotal API](https://www.virustotal.com/) * [x] Integral `grep`, `head`, `tail`, `uniq`, `wc`, `hexdump` like abilities * [x] Integral syntax highlighting for many different formats * [x] Integral fast [Shannon entropy](https://en.wikipedia.org/wiki/Entropy_(information_theory)) calculation * [x] Integral *Chain-of-Custody* receipt generation * [x] Support of path globbing and file streams * [x] Support of encrypted `7z`, `Rar`, `Zip` archives * [x] Many popular archive and compression formats * [x] Many popular cryptographic, image, fuzzy and fast hashes * [x] With [man pages](assets/man) for every command * [x] Advanced [Hunt](assets/man/fox-hunt.md) command * [x] Built-in log carving of [Linux Journals](https://systemd.io/JOURNAL_FILE_FORMAT/) and [Windows Event Logs](https://learn.microsoft.com/en-us/windows/win32/eventlog/event-log-file-format) * [x] Built-in super timeline in [Common Event Format](https://www.microfocus.com/documentation/arcsight/arcsight-smartconnectors-8.3/cef-implementation-standard/Content/CEF/Chapter%201%20What%20is%20CEF.htm) * [x] Built-in translation of 51600+ event ids * [x] Built-in warning of critical system events * [x] Filter events with [Sigma Rules](https://sigmahq.io/) syntax * [x] Filter anomalies using [Levenshtein distance](https://en.wikipedia.org/wiki/Levenshtein_distance) * [x] Stream events in [Splunk](https://help.splunk.com/en/splunk-enterprise/leverage-rest-apis/rest-api-reference/10.0/input-endpoints/input-endpoint-descriptions) or [Elastic](https://www.elastic.co/docs/reference/ecs) format * [x] Stream events using HTTPS or MQTT protocol * [x] Save as `JSON`, `JSON Lines`, `Parquet` or `SQLite` ## Install Install directly via the `go install` command: go install go.foxforensics.dev/fox/v4@latest Standalone binaries and packages are available for: | OS | Binaries | Packages | |:-------:|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Linux | [amd](https://foxforensics.dev/fox/releases/latest/download/fox_linux_amd64.tar.gz) \| [arm](https://foxforensics.dev/fox/releases/latest/download/fox_linux_arm64.tar.gz) | [apk](https://foxforensics.dev/fox/releases/latest/download/fox_linux_amd64.apk) \| [deb](https://foxforensics.dev/fox/releases/latest/download/fox_linux_amd64.deb) \| [pkg](https://foxforensics.dev/fox/releases/latest/download/fox_linux_amd64.pkg.tar.zst) \| [rpm](https://foxforensics.dev/fox/releases/latest/download/fox_linux_amd64.rpm) | | macOs | [amd](https://foxforensics.dev/fox/releases/latest/download/fox_darwin_amd64.tar.gz) \| [arm](https://foxforensics.dev/fox/releases/latest/download/fox_darwin_arm64.tar.gz) | `brew install foxforensics/fox/fox` | | Windows | [amd](https://foxforensics.dev/fox/releases/latest/download/fox_windows_amd64.zip) \| [arm](https://foxforensics.dev/fox/releases/latest/download/fox_windows_arm64.zip) | Binaries are UPX compressed | ## Examples Find occurrences in event logs: fox -eWinlogon ./**/*.evtx Show MBR in canonical hex: fox -hc512 disk.dd Show NTLM password hashes: Show all strings in a binary: fox str -w sample.exe List only high entropy files: fox info -n6.0 ./**/* Hash archive contents as MD5: fox hash -Amd5 files.7z Hunt down critical events: fox hunt -u *.dd ## Capabilities Log Formats Binary Formats Archive Formats Compression Formats Cryptographic Hashes Performance Hashes Perceptual Hashes Similarity Hashes Windows Hashes Checksums Wordlists 🦊 is released under the [GPL-3.0](LICENSE.md). All code is entirely written by human authors.

标签：EVTX分析