Fox is a cross-platform forensic command-line tool packaged as a standalone binary, designed to support the examination process of file-based artifacts. It functions as an MCP streaming server for AI agents, enabling integration with automated analysis pipelines. The tool provides a wide range of capabilities, including hash extraction, archive handling, entropy calculations, format recognition, and built-in log/event parsing in its Hunt mode. It also includes a rich set of parsing capabilities for ELF and PE/COFF executables, NTLM hash extraction from AD databases, and various integrity features such as chain-of-custody receipts. Use the MCP interface to stream data to AI agents for classification, anomaly detection, or triage, while maintaining read-only access guarantees.

To use Fox, install the binary (or via go install) and run the appropriate subcommands to process artifacts, search for indicators, or perform the built-in Hunt workflow. Fox exposes commands for text extraction, hex dumping, hash computations, search across artifacts, and event-log parsing. When running in Hunt mode, it can perform built-in log carving of Linux journals and Windows event logs, generate a common event format timeline, translate event IDs, apply Sigma rules for filtering, and stream results to targets that understand MCP payloads.

Prerequisites:

• A supported operating system (Linux, macOS, Windows) with a compatible architecture.
• Optional: Go toolchain if you prefer building from source. You can also download prebuilt binaries from the project releases.

Installation steps:

1. Install the latest Fox binary via go (preferred for source-based install): go install github.com/cuhsat/fox/v4@latest

   This will place the fox binary in your Go bin directory (e.g., $GOPATH/bin or $HOME/go/bin).

2. Alternatively, download a prebuilt binary for your OS from the GitHub releases page and add it to your PATH:

   • Linux: download fox_linux_amd64.tar.gz or fox_linux_arm64.tar.gz, extract, and move the fox binary to /usr/local/bin.
   • macOS: download fox_darwin_amd64.tar.gz or fox_darwin_arm64.tar.gz, extract, and move the fox binary to /usr/local/bin.
   • Windows: download fox_windows_amd64.zip or fox_windows_arm64.zip, extract, and add the location to your PATH.

3. Verify installation: fox --version

Notes:

• The project also provides a containerized option if you prefer Docker-based deployment, though Docker-specific instructions are not shown in the README.
• If you build from source, ensure you have a Go toolchain installed (Go 1.20+ recommended).

Tips and common issues:

• Fox is designed to be read-only to preserve chain-of-custody; ensure your input data is mounted as read-only where possible when used in sensitive environments.
• It supports a wide range of formats for both artifacts and outputs (JSON, JSONL, Parquet, SQLite).
• For MCP-based workflows, pair Fox with AI agents that can consume the MCP stream, enabling automated classification, anomaly detection, and evidence triage.
• If you encounter permission errors on Linux/macOS when writing output, verify directory permissions and consider running with appropriate user privileges.
• While Fox includes many capabilities (hashing, entropy, log parsing, event translation, Sigma filter support, etc.), ensure you’re using the correct subcommands for your artifact type and desired output format.
• Check the provided man pages in assets/man for detailed usage per mode (fox-hunt.md for Hunt mode, etc.).