Why Hexii

Hexii is designed for remote live digital forensics with a focus on transparency, isolation, and operator control. It is equally suited for analyst-led operations and agentic-AI assisted investigations where containment boundaries are critical to preserve evidence integrity.

Remote Live Triage

Investigate active systems remotely and execute controlled host or container actions from a dedicated forensic environment.

Host and Container Isolation

Operational controls are split across host and expert container contexts, so sensitive evidence interaction can remain separated from direct system-level changes.

Evidence-Aware Disk Mapping

Map devices into analysis workflows with explicit commands and visibility over active mappings.

Time-Bound Remote Access

Host and container SSH controls support timed expiry options to reduce persistent exposure during incident handling.

Evidence-Safe by Design

Hexii supports remote analysis workflows that avoid modifying source evidence, helping teams preserve chain-of-custody and investigative confidence.

Agentic-AI Ready Forensics

AI-driven or AI-augmented analysis can accelerate triage, but also introduces risk of accidental evidence tampering. Hexii mitigates this by emphasizing containerized analyst access, so autonomous or semi-autonomous agents operate inside controlled execution boundaries instead of directly on sensitive source data.

Transparent and Customizable

Built on Arch Linux with no vendor telemetry, Hexii can be adapted to your mission profile while keeping system behavior visible and auditable.

AI Usage Model for Evidence-Safe Operations

Hexii can support agentic-AI investigation assistants while maintaining strict evidence handling boundaries.

Human approval gates before privileged host actions.
Read-only evidence mounts for analysis-first workflows.
Container-scoped command execution for AI-driven tasks.
Auditable command history and operation traceability.

Project Structure

Hexii source is organized as a reproducible build pipeline plus runtime command and service layers.

Build Pipeline

Single build.sh script for easy start - no complex prerequisites
Idempotent modules allow independent customization at each step
Customizable resources and configs in ./resources directory
Automatic image preparation and output generation

Runtime Controls

Multiple interfaces: CLI, TUI, and UI for flexible operator control
Built-in firewall for stealth and network isolation
SSH key-only access by default for secure remote operations
Revertable system changes - state resets on reboot for forensic cleanliness

Target Outputs

BIOS and UEFI boot support for maximum compatibility
x64 and ARM64 architecture support
Multiple output formats: ISO, VM disk, RAW for external storage
Configuration options from headless to full graphical desktop
Apple Silicon CPU support with custom bootloader for Macbooks

Operational Workflow

Build

Generate a forensic runtime image using the modular host and chroot pipeline.

Deploy

Boot Hexii on target hardware with architecture-specific boot resources.

Investigate

Use control tools (hexii-cli, hexii-tui, hexii-gui) to inspect network state, run host/container commands, and manage mappings.

Control Access

Enable SSH and password access only when needed, optionally with timed expiry.

Revert

Trigger host/container revert paths to return to a known state after investigations.

Get Started

Clone the project and run the build pipeline on a compatible (x64, ARM64) Linux build host or a VM.

git clone https://github.com/titan-hex/hexii.git
cd hexii
./build.sh

View on GitHub →