<div align="center"> <img src="https://lockknife.vercel.app/icon.png" width="75" alt="LockKnife Icon"/>

LockKnife

The Ultimate Android Security Research Tool

Unified Android Security Research Platform

⚛ Python First ⚛ Rust Accelerated ⚛

Forensics, Analysis, Recovery, Runtime, and Intelligence in One Framework

LockKnife is a unified Android security research and forensic investigation toolkit built with Python orchestration and Rust-accelerated core. It provides a case-driven TUI workspace alongside a powerful headless CLI, enabling investigators and researchers to perform extraction, credential recovery, artifact analysis, runtime instrumentation, and reporting from a single modular framework. The platform integrates advanced capabilities including AI-assisted analysis, cryptocurrency wallet forensics, threat intelligence enrichment, APK inspection, runtime instrumentation, and multi-device investigation workflows. LockKnife supports modern Android ecosystems, including passkey artifacts (Android 14+), Private Space analysis (Android 15+), and evolving device security models. With a growing ecosystem of specialized modules covering device forensics, credential recovery, APK analysis, runtime inspection, network analysis, and security auditing, LockKnife enables security researchers to orchestrate complex Android investigations and generate professional forensic reports within one unified research environment.

Connect your device and begin advanced Android security research.

<br>

<a href="https://lockknife.vercel.app"> <img width="180" src="https://img.shields.io/badge/Website-LockKnife-blue?logo=google-chrome&style=square" alt="Website"/> </a> <br> <!-- <p> <img height="30" src="https://img.shields.io/badge/Desktop_Apps_Coming_Soon-Under_Development-8A2BE2?style=for-the-badge&logo=tux&logoColor=white&style=square"/> <br/> <img height="25" src="https://img.shields.io/badge/macOS-101010?style=for-the-badge&logo=apple&logoColor=white&style=square"/> <img height="25" src="https://img.shields.io/badge/Linux-101010?style=for-the-badge&logo=linux&logoColor=white&style=square"/> <img height="25" src="https://img.shields.io/badge/Windows-101010?style=for-the-badge&logo=microsoft&logoColor=white&style=square"/> </p> --> </div>

New Era: Python + Rust Rewrite (v1.x)

• Python orchestrates CLI, device I/O, modules, reporting, and integrations.
• Rust powers performance-critical primitives (hashing/crypto, bruteforce, bulk parsing).
• The legacy Bash-only edition ended at v0.4.x (see [CHANGELOG.md]).

Installation

Curl (macOS, Linux, Windows)

curl -fsSL https://lockknife.vercel.app/install | bash

Homebrew (macOS)

brew install ImKKingshuk/tap/lockknife

Quick Start

TUI (Default)

lockknife

CLI (Headless)

lockknife --cli

OR

lockknife --headless

Old Classic Interactive Mode

lockknife interactive

Product Priority

• TUI is the main product and default experience. Use lockknife for day-to-day investigations, case-driven workflows, result review, and operator-guided execution.
• Headless CLI is the secondary surface. Use lockknife --cli ... or lockknife --headless for quick one-off tasks, scripting, CI, and remote/headless environments.
• Classic interactive mode is legacy convenience. Use lockknife interactive only when you specifically want the older menu flow.

TUI (Default)

Keybindings

| Action | Keys | |--------|------| | Quit | q | | Navigate panels | Tab | | Move selection | Arrow keys | | Open action menu | Enter | | Search modules/output | / | | Help | ? | | Theme cycle | t | | Config editor | c | | Export last result | e | | Result viewer | v | | Page scroll modules | PageUp / PageDown | | Adjust panel height | Ctrl + Up / Ctrl + Down | | Copy result in viewer | y |

TUI vs CLI

| Mode | Best for | Command | |------|----------|---------| | TUI (primary) | Interactive investigation, multi-step workflows, live output, case-first operations | lockknife | | CLI / headless (secondary) | Quick tasks, automation, scripting, CI, headless servers | lockknife --cli or lockknife --headless |

TUI positioning vs ALEAPP, MobSF, drozer, objection, and Frida CLI

LockKnife is designed as a case-first operator workspace that spans extraction, runtime, APK review, reporting, and enrichment. The tools below are still valuable, but they solve narrower slices of the Android investigation workflow.

| Tool | Primary strength | Main surface | Best at | Gaps relative to LockKnife | |------|------------------|--------------|---------|--------------------------------| | LockKnife | Unified case-driven Android investigations | Terminal TUI + CLI | Coordinating extraction, forensics, runtime, APK review, reporting, and enrichment from one workspace | N/A | | ALEAPP | Artifact parsing and report generation from device dumps/backups | CLI/report pipeline | Normalizing mobile artifacts into investigator-friendly reports | No integrated runtime instrumentation, APK review, live case workspace, or operator TUI | | MobSF | Mobile app static/dynamic analysis | Web UI | APK/IPA-focused security review and sandbox analysis | Not a case-first device forensics workspace; weaker on extraction/runtime/operator orchestration | | drozer | Android attack-surface assessment | CLI shell | IPC exposure, exported components, and app security probing | Not a reporting/forensics/timeline platform; no integrated case workflow | | objection | Frida-assisted runtime exploration | Interactive CLI | Runtime hooks, method browsing, and rapid app introspection | Not a full evidence, reporting, or case-management surface | | Frida CLI | Low-level instrumentation primitives | CLI | Raw attach/spawn/script workflows and custom tracing | No case model, extraction/reporting pipeline, or investigator-friendly orchestration layer |

Capability comparison: LockKnife vs specialist Android tools

| Capability | LockKnife | ALEAPP | MobSF | drozer | objection | Frida | |------------|:---------:|:------:|:-----:|:------:|:---------:|:---------:| | Case workspace, artifact lineage, integrity | ✅ Native | ⚠️ Report-centric | ❌ | ❌ | ❌ | ❌ | | Device artifact extraction / acquisition helpers | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | | Timeline + cross-artifact investigation workflow | ✅ | ⚠️ Artifact-focused | ❌ | ❌ | ❌ | ❌ | | APK static review | ✅ | ❌ | ✅ | ⚠️ Limited | ❌ | ❌ | | Runtime instrumentation | ✅ | ❌ | ⚠️ Sandbox-centric | ✅ | ✅ | ✅ | | Chain-of-custody / executive + technical reporting | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | | Guided operator workspace (TUI-first) | ✅ Primary | ❌ | ❌ Web UI instead | ❌ | ❌ | ❌ | | Headless automation / scripting | ✅ | ✅ | ⚠️ Server workflow | ✅ | ✅ | ✅ |

Use LockKnife when you want one operator surface for the broader investigation lifecycle, and pair it with ALEAPP/MobSF/drozer/objection when you need their specialist depth.

Features Status Legend

| Icon | Status | Meaning | |------|--------|---------| | ✅ | production-ready | Stable core workflow with strong local/offline behavior | | 🔧 | functional | Useful and working, with practical constraints | | 🔬 | best-effort | Works in some environments, but highly device/app/version dependent | | 🚧 | experimental | Early workflow with notable limitations | | 🔑 | dependency-gated | Requires optional extras, external tools, or credentials |

---

Current Capabilities (v1.0.0)

Core Platform

• ✅ Python CLI with subcommands: device, crack, extract, forensics, apk, report, security, intel, ai, network, crypto-wallet
• 🔧 Full-screen TUI by default (lockknife) as the primary product surface; Click CLI via --cli / --headless for quick/headless tasks
• ✅ Classic menu UI via lockknife interactive
• ✅ Config loading via lockknife.toml (with legacy lockknife.conf mapping)
• ✅ Structured logging (console/JSON) and consistent output formatting
• ✅ Shell completion via lockknife completion <shell>

Rust Core (Native)

• ✅ Hashing/HMAC + AES-GCM helpers
• ✅ High-speed PIN bruteforce and dictionary attacks
• ✅ Binary helpers (DEX/ELF headers), pattern scanning, IPv4 parsing
• ✅ SQLite bulk table extraction to JSON and artifact correlation primitives

Device & Orchestration

• 🔧 ADB management: list/connect/info/shell (lockknife device ...)
• 🔧 Multi-device parallel execution for supported operations
• 🔧 Feature coverage depends on device access level (userdebug/root), OEM paths, and Android version

---

Feature Matrix

Credentials & Recovery

• ✅ Offline PIN bruteforce (lockknife crack pin) (Rust)
• ✅ Offline dictionary attack (lockknife crack password) (Rust)
• ✅ Rule-based password mutations (lockknife crack password-rules)
• 🔬 Device-side PIN recovery pipeline (lockknife crack pin-device) (device-dependent)
• 🔬 Gesture recovery (lockknife crack gesture) (device-dependent)
• 🔬 WiFi password extraction (lockknife crack wifi) (often requires root)
• 🔬 Keystore listing (lockknife crack keystore) (often requires root)
• 🔬 Passkey artifact export (lockknife crack passkeys) (Android 14+, device-dependent)

Extraction

• 🔧 SMS / Contacts / Call logs (lockknife extract sms|contacts|call-logs)
• 🔧 Browser artifacts (Chrome/Firefox history/bookmarks/downloads/cookies/saved logins)
• 🔬 Messaging artifacts (WhatsApp/Telegram), with device constraints
• 🔬 Signal message extraction (limited by SQLCipher encryption and key availability)
• 🔧 Media extraction with EXIF
• 🔧 Location artifacts and dumpsys snapshot parsing
• 🔬 lockknife extract all evidence directory (best-effo