Forensic Intelligence & Learning Operator

The modern
forensic toolkit
for the Go era.

Replace binwalk, file, ExifTool, and strings with a single, ultra-fast binary. Zero dependencies. AI-integrated.

$go install github.com/supunhg/filo-go/cmd/filo@latest
filo — forensic shell
 
File Analysis: mystery.bin
 
Detected Format: elf
MIME Type: application/x-executable
Confidence: 98.0%
 
File Size: 2516582 bytes
SHA256: 9f86d08188188e23
Entropy: ███████████████████████████████████░░░░░ 7.18
 
Detection Evidence:
yaml_signatures (confidence: 98.0%)
YAML signature match: elf (ELF magic bytes)
 
CPU Architecture:
Arm AArch64 (64-bit, little-endian)
Format: ELF
 
Embedded Objects:
gzip at offset 18204 (80.0%)
jpeg at offset 40960 (80.0%)
 
0×
Peak speedup vs binwalk
0.0 MB
Single static binary
0
Runtime dependencies
0+
Supported formats

One binary replaces your entire forensic stack

binwalk
file
ExifTool
strings
xxd
dd
foremost
YARA
Sigma
Core Capabilities

Everything you need. Nothing you don't.

filo-go combines a dozen forensic tools into one optimized binary. No more context-switching or dependency hell.

All-in-One Toolkit

Replaces binwalk, file, ExifTool, and strings with a single, fast, cross-platform binary. No more context-switching between tools.

Zero Dependencies

Built in Go. No Python, Perl, or C libraries required. Just a single ~5.7MB static binary that runs anywhere.

AI-Powered Analysis

Built-in MCP (Model Context Protocol) server enables AI-assisted forensic analysis via Claude Desktop and other AI tools.

Plugin System

Extend functionality with dynamic Go plugins. Write custom analyzers for your specific forensic needs without forking the project.

Deep Inspection

Entropy visualization, steganography detection, encryption detection, YARA rule matching, and multi-algorithm hashing.

Forensic Ready

Analyze PCAP network captures, Windows Registry hives, Windows Event Logs (EVTX), SQLite databases, and firmware images.

Why filo-go?

One tool to rule them all

See how filo-go stacks up against the legacy tools it replaces.

FeaturebinwalkfileExifToolfilo-go
LanguagePython/CCPerl✅ Go
DependenciesManylibmagicPerl modules✅ None
Cross-platform⚠️ Partial
Single binary
JSON output⚠️
MCP integration
Plugin system
Firmware extraction
Metadata extraction
YARA support
PerformanceSlowFastFast🚀 Fastest
Speed Benchmarks

Up to 15,000× faster than binwalk

Optimized for modern multicore architectures. Process data at the speed of Go.

File Analysis (1MB)600x faster
filo-go
1.07 ms
binwalk
644 ms
Entropy Analysis (1MB)1,061x faster
filo-go
595 µs
binwalk
632 ms
File Carving (10MB)153x faster
filo-go
14.6 ms
binwalk
2.22 s
Hash Computation (1MB)6.2x faster
filo-go
885 µs
binwalk
5.47 ms
String Extraction (1MB)15,078x faster
filo-go
633 ns
binwalk
9.54 ms
Live entropy map
0x00000000entropy map · 0.0 → 8.0 bits0x00240000

filo-go vs binwalk

filo-go binwalk
File Analysis600x faster
644 ms
1.07 ms
Entropy1,061x faster
632 ms
595 µs
File Carving153x faster
2.22 s
15 ms
Hash Comp.6.2x faster
5.47 ms
885 µs
Strings15,078x faster
9.54 ms
633 ns

Logarithmic scale · measured on Intel Xeon Platinum 8488C, Linux AMD64

Quick Start

Get started in seconds

Install from source, via go install, or download a pre-built binary.

Installation

$git clone https://github.com/supunhg/filo-go.git
$cd filo-go && go build -o filo ./cmd/filo/
$go install github.com/supunhg/filo-go/cmd/filo@latest
RECOMMENDED

Basic Usage

$
filo analyze mystery.bin# Full file analysis with format detection
$
filo entropy firmware.bin# Get entropy visualization
$
filo extract firmware.bin# Extract embedded files
$
filo hex suspicious.exe# View hex dump with colors
$
filo scan document.pdf# Scan for known signatures
$
filo strings malware.bin# Extract printable strings
$
filo hash important.doc# Compute multiple hash algorithms
Commands Reference

Simple, intuitive. Powerful.

Every command follows a consistent pattern. No cryptic flags.

Core Analysis

$
filo analyze <file>
Full file analysis with format detection
$
filo entropy <file>
Visualize file entropy
$
filo hex <file>
Display hex dump with colors
$
filo scan <file>
Scan for known signatures
$
filo search <file> <pattern>
Search for text or hex patterns
$
filo hash <file>
Compute multiple hash algorithms
$
filo strings <file>
Extract printable strings

File Operations

$
filo extract <file>
Extract embedded files
$
filo dd <file> --offset 0 --length 1024
Extract raw bytes (like dd)
$
filo carve <disk.img>
Carve files from disk images
$
filo repair <image.jpg>
Repair corrupted files

Metadata & Security

$
filo meta <photo.jpg>
Extract EXIF/XMP/IPTC metadata
$
filo stego <image.png>
Detect steganography
$
filo crypto <file>
Detect encryption indicators
$
filo executable <program.exe>
Analyze PE/ELF/Mach-O binaries

Forensic Analysis

$
filo firmware -x <rootfs.squashfs>
Analyze/extract firmware images
$
filo pcap --streams <capture.pcap>
Analyze network captures
$
filo evtx <system.evtx>
Analyze Windows Event Logs
$
filo sqlite <browser.db>
Analyze SQLite databases
$
filo registry <SAM>
Analyze Windows Registry hives
$
filo sigma <file>
Scan with Sigma rules

Batch & Integration

$
filo batch </path/to/samples/>
Analyze directory of files
$
filo mcp
Start MCP server for AI-assisted analysis
$
filo plugins list
List installed plugins
$
filo formats list
List all supported file formats
AI Integration

Built-in MCP Server

Connect filo-go to Claude and other AI tools for AI-assisted forensic analysis.

Available MCP Tools

analyzeAnalyze file format and security
hashCompute cryptographic hashes
stringsExtract printable strings
cryptoDetect encryption indicators
stegoDetect steganography
metadataExtract image metadata
containerAnalyze archive contents
sqliteAnalyze SQLite databases
batchBatch analyze directories

Claude Desktop Config

{
  "mcpServers": {
    "filo": {
      "command": "/path/to/filo",
      "args": ["mcp"]
    }
  }
}

Add this to your Claude Desktop configuration file to enable AI-assisted file analysis.

Extensible

Plugin System

filo-go supports dynamic Go plugins for custom analysis and detection without forking.

Installing Plugins

$filo plugins load ./archive-bomb.so
$filo plugins list

Writing Plugins

package main

import "github.com/supunhg/filo-go/internal/plugins"

type ArchiveBombDetector struct{}

func (d *ArchiveBombDetector) Name() string {
    return "archive-bomb"
}

func (d *ArchiveBombDetector) Analyze(data []byte) (*plugins.Result, error) {
    return &plugins.Result{
        Risk: plugins.RiskLow,
        Findings: []string{"File appears safe"},
    }, nil
}

func init() {
    plugins.Register(&ArchiveBombDetector{})
}
Supported Formats

Hundreds of file signatures

Deep inspection for archives, executables, documents, images, network captures, and firmware.

Archives

  • ZIP
  • 7z
  • RAR
  • TAR
  • GZIP
  • BZIP2
  • XZ

Executables

  • PE (Windows)
  • ELF (Linux)
  • Mach-O (macOS)

Documents

  • PDF
  • DOCX
  • XLSX
  • PPTX
  • OLE2

Images

  • JPEG
  • PNG
  • GIF
  • BMP
  • TIFF
  • WebP
  • ICO

Data

  • SQLite
  • Registry (REGF)
  • EVTX

Network

  • PCAP
  • PCAPNG

Firmware

  • SquashFS
  • CramFS
  • JFFS2
Architecture

Clean, modular design

Every component is independently testable and replaceable.

filo-go/
cmd/filo/
internal/analyzer/
internal/carver/
internal/cli/
internal/container/
internal/crypto/
internal/entropy/
internal/executable/
internal/export/
internal/firmware/
internal/formats/
internal/hashing/
internal/mcp/
internal/metadata/
internal/pcap/
internal/plugins/
internal/sqlite/
internal/stego/
internal/strings/
internal/yara/

Testing

$go test ./...
$go test ./internal/entropy/ -v
$go test ./... -coverprofile=coverage.out

Contributing

  1. 1Fork the repository
  2. 2Create your feature branch
  3. 3Commit your changes
  4. 4Push to the branch
  5. 5Open a Pull Request

Ready to analyze faster?

One static binary. Zero dependencies. Install it and run your first analysis in under a minute.

$go install github.com/supunhg/filo-go/cmd/filo@latest

Acknowledgments

binwalkfile / libmagicExifToolYARACobraBoltDB