Fox Forensics

Fox

Fox is a versatile commandline tool, built to support the examination process of file-based forensic evidence. It provides a wide spectrum of forensic capabilities in a cross-platform standalone binary.

Restricted read-only access

Chain of Custody receipt generation

Carve strings with 290+ classifications

Extract Active Directory password hashes

Parse EVTX, ESE, PE and many more files

Hunt over 51600+ different system events

Stream events to Elastic and Splunk servers

Supported Formats

AD Records

NTLM Users Computers

Log Formats

EVTX Journal Fortigate

Binary Formats

PE / COFF ELF ESE / EDB LNK PF

Archive Formats

7-Zip AR CAB CFB CPIO ISO MSI RAR RPM TAR XAR ZIP

Compression Formats

BGZF Brotli Bzip2 Gzip Kanzi LZ4 Lzip LZMA LZFSE LZNT1 LZO LZVN LZW LZX MinLZ S2 Snappy XZ zlib zstd

Supported Hashes

Cryptographic Hashes

BLAKE2S-256 BLAKE2B-256 BLAKE2B-384 BLAKE2B-512 BLAKE3-256 BLAKE3-512 GOST2012-256 GOST2012-512 HAS-160 LSH-256 LSH-512 MD2 MD4 MD5 MD6 RIPEMD-160 SHAKE128 SHAKE256 SHA1 SHA224 SHA256 SHA512 SHA3 SHA3-224 SHA3-256 SHA3-384 SHA3-512 Skein-224 Skein-256 Skein-384 Skein-512 SM3 Whirlpool

Performance Hashes

DJB2 FNV-1 FNV-1a Murmur3 RapidHash SipHash XXH32 XXH64 XXH3

Perceptual Hashes

Average Difference Median PHash WHash MarrHildreth BlockMean PDQ RASH

Similarity Hashes

ImpFuzzy ImpHash ImpHash0 SSDeep TLSH

Windows Hashes

PE LM NT

Checksums

Adler32 Fletcher4 CRC16-CCITT CRC32-C CRC32-IEEE CRC64-ECMA CRC64-ISO

Quick Install

Via Go

go install go.foxforensics.dev/fox/v4@latest

Via Homebrew

brew install foxforensics/fox/fox

Example Usage

# Find occurrences in event logs

fox -eWinlogon ./**/*.evtx

# Dump NTLM password hashes

fox ad -H ntds.dit system

# Hunt down critical events

fox hunt -u *.dd

Download Binaries

Additional Tools

Specialized tools for basic forensic tasks.

hashdump

Dump Active Directory password hashes.

hasher

Hash files using many algorithms.

rhash

Reverse lookup hash algorithms.

bootkey

Extract the bootkey from the system hive.

checker

Check resources for malevolence.

eventid

Lookup Windows event log messages.

entropy

Calculate entropy of files and paths.

strings

Carve Unicode and ASCII strings from files.

discolor

Remove ANSI color escape sequences.

wordlist

Unique wordlist from different sources.

corpus

A corpus of various file formats for testing.

Libraries

About artifacts, compression and more...

Legacy Tools

The Forensic Artifacts Collecting Toolkit.

fmount

Mount disk images for forensic processing.

ffind

Find forensic artifacts on the system.

flog

Log forensic artifacts as ECS.

Experimental Tools

Cutting-edge tools not meant for production use.

xr

Fast event record analyzer.

About Fox Forensics

Fox Forensics is dedicated to advancing digital forensics through open-source tooling. Based in Germany, we build reliable utilities for forensic examiners and incident responders.

Our tools are designed with forensic integrity in mind: non-destructive analysis, chain of custody preservation, and reproducible results.

Non-destructive Preserving Reproducible

30+

Repositories

100%

Open Source