Summary

LockKnife is a unified Android security research and forensic toolkit for researchers and hackers. It combines a TUI workspace and headless CLI, powered by Python orchestration and a Rust-accelerated core, to streamline complex investigations from data extraction and credential recovery to AI-driven analysis and reporting.

How It Works

The platform leverages Python for orchestration and Rust for performance-critical primitives (hashing, crypto, parsing). It offers a case-driven approach with a primary TUI interface and a secondary headless CLI, enabling deep Android security research, including AI-assisted analysis, cryptocurrency forensics, and runtime instrumentation across modern Android versions.

Quick Start & Requirements

Supports macOS, Linux, and Windows (WSL). Requires Python 3.11+ and adb. Install via curl -fsSL https://lockknife.vercel.app/install | bash or brew install ImKKingshuk/tap/lockknife (macOS). Run TUI with lockknife, headless with lockknife --cli. Optional features require extras like lockknife[apk] or lockknife[frida].

Highlighted Details

• Hybrid Python/Rust architecture optimizes performance for critical tasks while maintaining modularity.
• The TUI acts as a primary, case-first operator workspace, unifying extraction, forensics, runtime analysis, and reporting, differentiating it from specialist tools.
• Version 1.0.0 includes offline PIN/dictionary cracking, artifact extraction (SMS, browser, media), SQLite inspection, timeline building, and APK scanning.
• Supports modern Android features like passkey artifacts (Android 14+) and targets Private Space analysis (Android 15+).

Maintenance & Community

The project is at release v1.0.0. The README does not currently list specific community channels, notable contributors, or sponsorship details.

Licensing & Compatibility

Licensed under GPL-3.0-only. This copyleft license may restrict commercial use and linking with proprietary software, requiring derivative works to also be open-sourced under GPLv3.

Limitations & Caveats

Many features are best-effort or experimental, often requiring root, specific device builds, or external dependencies. Signal message extraction is limited by encryption, and PDF reporting needs additional installations. Runtime instrumentation and bypass workflows are highly device and app-dependent.