New Era: Python + Rust Rewrite (v1.x)

• Python orchestrates CLI, device I/O, modules, reporting, and integrations.
• Rust powers performance-critical primitives (hashing/crypto, bruteforce, bulk parsing).
• The legacy Bash-only edition ended at v0.4.x (see [CHANGELOG.md]).

Installation

Curl (macOS, Linux, Windows)

curl -fsSL https://lockknife.vercel.app/install | bash

Homebrew (macOS)

brew install ImKKingshuk/tap/lockknife

Quick Start

TUI (Default)

lockknife

CLI (Headless)

lockknife --cli

OR

lockknife --headless

Old Classic Interactive Mode

lockknife interactive

Product Priority

• TUI is the main product and default experience. Use lockknife for day-to-day investigations, case-driven workflows, result review, and operator-guided execution.
• Headless CLI is the secondary surface. Use lockknife --cli ... or lockknife --headless for quick one-off tasks, scripting, CI, and remote/headless environments.
• Classic interactive mode is legacy convenience. Use lockknife interactive only when you specifically want the older menu flow.

TUI (Default)

Keybindings

Action	Keys
Quit	q
Navigate panels	Tab
Move selection	Arrow keys
Open action menu	Enter
Search modules/output	/
Help	?
Theme cycle	t
Config editor	c
Export last result	e
Result viewer	v
Page scroll modules	PageUp / PageDown
Adjust panel height	Ctrl + Up / Ctrl + Down
Copy result in viewer	y

TUI vs CLI

Mode	Best for	Command
TUI (primary)	Interactive investigation, multi-step workflows, live output, case-first operations	lockknife
CLI / headless (secondary)	Quick tasks, automation, scripting, CI, headless servers	lockknife --cli or lockknife --headless

TUI positioning vs ALEAPP, MobSF, drozer, objection, and Frida CLI

LockKnife is designed as a case-first operator workspace that spans extraction, runtime, APK review, reporting, and enrichment. The tools below are still valuable, but they solve narrower slices of the Android investigation workflow.

Tool	Primary strength	Main surface	Best at	Gaps relative to LockKnife
LockKnife	Unified case-driven Android investigations	Terminal TUI + CLI	Coordinating extraction, forensics, runtime, APK review, reporting, and enrichment from one workspace	N/A
ALEAPP	Artifact parsing and report generation from device dumps/backups	CLI/report pipeline	Normalizing mobile artifacts into investigator-friendly reports	No integrated runtime instrumentation, APK review, live case workspace, or operator TUI
MobSF	Mobile app static/dynamic analysis	Web UI	APK/IPA-focused security review and sandbox analysis	Not a case-first device forensics workspace; weaker on extraction/runtime/operator orchestration
drozer	Android attack-surface assessment	CLI shell	IPC exposure, exported components, and app security probing	Not a reporting/forensics/timeline platform; no integrated case workflow
objection	Frida-assisted runtime exploration	Interactive CLI	Runtime hooks, method browsing, and rapid app introspection	Not a full evidence, reporting, or case-management surface
Frida CLI	Low-level instrumentation primitives	CLI	Raw attach/spawn/script workflows and custom tracing	No case model, extraction/reporting pipeline, or investigator-friendly orchestration layer

Capability comparison: LockKnife vs specialist Android tools

Capability	LockKnife	ALEAPP	MobSF	drozer	objection	Frida
Case workspace, artifact lineage, integrity	✅ Native	⚠️ Report-centric	❌	❌	❌	❌
Device artifact extraction / acquisition helpers	✅	✅	❌	❌	❌	❌
Timeline + cross-artifact investigation workflow	✅	⚠️ Artifact-focused	❌	❌	❌	❌
APK static review	✅	❌	✅	⚠️ Limited	❌	❌
Runtime instrumentation	✅	❌	⚠️ Sandbox-centric	✅	✅	✅
Chain-of-custody / executive + technical reporting	✅	✅	✅	❌	❌	❌
Guided operator workspace (TUI-first)	✅ Primary	❌	❌ Web UI instead	❌	❌	❌
Headless automation / scripting	✅	✅	⚠️ Server workflow	✅	✅	✅

Use LockKnife when you want one operator surface for the broader investigation lifecycle, and pair it with ALEAPP/MobSF/drozer/objection when you need their specialist depth.

Features Status Legend

Icon	Status	Meaning
✅	production-ready	Stable core workflow with strong local/offline behavior
🔧	functional	Useful and working, with practical constraints
🔬	best-effort	Works in some environments, but highly device/app/version dependent
🚧	experimental	Early workflow with notable limitations
🔑	dependency-gated	Requires optional extras, external tools, or credentials

---

Current Capabilities (v1.0.0)

Core Platform

• ✅ Python CLI with subcommands: device, crack, extract, forensics, apk, report, security, intel, ai, network, crypto-wallet
• 🔧 Full-screen TUI by default (lockknife) as the primary product surface; Click CLI via --cli / --headless for quick/headless tasks
• ✅ Classic menu UI via lockknife interactive
• ✅ Config loading via lockknife.toml (with legacy lockknife.conf mapping)
• ✅ Structured logging (console/JSON) and consistent output formatting
• ✅ Shell completion via lockknife completion <shell>

Rust Core (Native)

• ✅ Hashing/HMAC + AES-GCM helpers
• ✅ High-speed PIN bruteforce and dictionary attacks
• ✅ Binary helpers (DEX/ELF headers), pattern scanning, IPv4 parsing
• ✅ SQLite bulk table extraction to JSON and artifact correlation primitives

Device & Orchestration

• 🔧 ADB management: list/connect/info/shell (lockknife device ...)
• 🔧 Multi-device parallel execution for supported operations
• 🔧 Feature coverage depends on device access level (userdebug/root), OEM paths, and Android version

---

Feature Matrix

Credentials & Recovery

• ✅ Offline PIN bruteforce (lockknife crack pin) (Rust)
• ✅ Offline dictionary attack (lockknife crack password) (Rust)
• ✅ Rule-based password mutations (lockknife crack password-rules)
• 🔬 Device-side PIN recovery pipeline (lockknife crack pin-device) (device-dependent)
• 🔬 Gesture recovery (lockknife crack gesture) (device-dependent)
• 🔬 WiFi password extraction (lockknife crack wifi) (often requires root)
• 🔬 Keystore listing (lockknife crack keystore) (often requires root)
• 🔬 Passkey artifact export (lockknife crack passkeys) (Android 14+, device-dependent)

Extraction

• 🔧 SMS / Contacts / Call logs (lockknife extract sms|contacts|call-logs)
• 🔧 Browser artifacts (Chrome/Firefox history/bookmarks/downloads/cookies/saved logins)
• 🔬 Messaging artifacts (WhatsApp/Telegram), with device constraints
• 🔬 Signal message extraction (limited by SQLCipher encryption and key availability)
• 🔧 Media extraction with EXIF
• 🔧 Location artifacts and dumpsys snapshot parsing
• 🔬 lockknife extract all evidence directory (best-effort; produces errors manifest when datasets fail)

Forensics

• 🔬 Device snapshotting (lockknife forensics snapshot) (full coverage may require root)
• ✅ SQLite inspection + bulk extraction (lockknife forensics sqlite) (Rust-accelerated)
• ✅ Timeline building (lockknife forensics timeline)
• 🔧 ALEAPP-style artifact normalization/export (lockknife forensics parse)
• ✅ Cross-artifact correlation (lockknife forensics correlate) (Rust-assisted)
• 🔬 Deleted record recovery heuristics (lockknife forensics recover) (best-effort)

Reporting

• 🔧 HTML/JSON/CSV reporting (lockknife report generate)
• 🔑 PDF reporting (lockknife report generate --format pdf) (requires weasyprint or xhtml2pdf)
• 🔧 Chain of custody (lockknife report chain-of-custody)
• 🔧 Case integrity verification (lockknife report integrity)

APK Analysis

• 🔑 Manifest parsing and metadata extraction (requires lockknife[apk])
• 🔑 Permission risk scoring and heuristic vulnerability checks
• ✅ DEX header extraction from APK (Rust)
• 🔬 "Decompile" (APK unpack + manifest.json; not full source decompilation)
• 🔧 YARA / pattern scanning (lockknife apk scan)

Runtime Instrumentation

• 🔑 Frida session management and script loading (requires lockknife[frida] + Frida server)
• 🔬 Bypass and tracing workflows (device/app dependent)
• 🔬 Memory/heap utilities (device/app dependent)

Network

• 🔬 Device capture (lockknife network capture) (root + tcpdump)
• 🔑 PCAP analysis and API endpoint discovery (requires lockknife[network])
• ✅ Rust helpers for parsing primitives (IPv4)

Security

• 🔧 Device posture audit and checks (lockknife security scan)
• 🔧 SELinux and bootloader/hardware checks (device dependent)
• 🔧 Malware scanning (Rust pattern engine)
• 🔧 OWASP MASTG mapping helpers (lockknife security owasp)

---

Integrations (Optional Extras)

• 🔑 Threat intelligence (lockknife intel ...) (requires lockknife[threat-intel] + API keys)
• 🔑 AI/ML workflows (lockknife ai ...) (requires lockknife[ml])
• 🔧 Crypto wallet forensics (lockknife crypto-wallet ...) (data/network dependent)

Requirements

• OS: macOS, Linux, Windows (WSL)
• Python: 3.11+
• ADB: Android platform-tools (adb)
• Rust: required to build the native extension from source
• Device constraints: some features require root/userdebug builds or app-specific DB access

Configuration

LockKnife looks for configuration files in the following locations (in order):

1. ./lockknife.toml
2. $HOME/.config/lockknife/lockknife.toml
3. $HOME/.lockknife.toml
4. /etc/lockknife.toml

Legacy lockknife.conf is also supported and auto-mapped for a small set of keys.

Example lockknife.toml:

[lockknife]
log_level = "INFO"
log_format = "console"
adb_path = "adb"

Disclaimer

LockKnife : The Ultimate Android Security Research Tool is developed for research and educational purposes. It should be used responsibly and in compliance with all applicable laws and regulations. The developer of this tool is not responsible for any misuse or illegal activities conducted with this tool.

Password recovery tools should only be used for legitimate purposes and with proper authorization. Using such tools without proper authorization is illegal and a violation of privacy. Ensure proper authorization before using LockKnife for password recovery or data extraction. Always adhere to ethical hacking practices and comply with all applicable laws and regulations.

License

This project is licensed under the GPL-3.0-only License.

Happy Android Security Research with LockKnife! 🔒💫