// about fatcousin forensics

what this is

fatcousin forensics is a local triage workbench for digital investigations. 4,004 browser tools, 52 case-type playbooks, 55 replayable reference cases — all running on your device, with nothing leaving your hard drive.

who it is for

victimsfraud, scams, sextortion, stalking, ransomware, device compromise — answers in plain english, no jargon, no upload.start at /forensics/help →
journalistsprotect sources, debunk deepfakes, investigate doxxing campaigns, normalize osint dumps — all locally.start at /forensics/methodology/journalist-source-protection →
it staff at small orgsfirst-pass triage when you don't have a dedicated dfir team — phishing, account takeover, ransomware patient-zero, insider exfil.start at /forensics/triage →
attorneys + paralegalsintake before you spend retainer hours on a vendor-of-record platform — normalize subpoena responses, score log authenticity, build court-ready citations.start at /forensics/coverage →
investigators + analystsfirst-pass triage before opening cellebrite / axiom / encase / magnet — parsers, scorers, normalizers, replayable reference cases.start at /forensics/proof →
students + researchersstudy real artifact patterns and methodology — every tool is open in your browser, every fixture is downloadable, every grade is published.start at /forensics/rubric →

what is in the catalog

every number on this page is read from the live catalog at render time — when a new tool or case ships, the counts update without anyone editing this file.

forensic tools: 4,004; parsers, scorers, normalizers, correlators, kits — every one runs in your browser.
case-type playbooks: 52; 8 tier-1 (default on home) + 44 tier-2 (full coverage).
industry hubs: 56; healthcare, legal, finance, hr, ics/ot, automotive, telecom, gov/defense, satellite, retail, gaming, smart-city, education, real estate.
artifact families: 215; email · browser · ios backup · android · pcap · evtx · registry · memory · disk · mobile image · ldap · cloud audit · …
evidence types: 19; what you actually have in hand — csv, log, image, pdf, db, json, ndjson, raw bytes.
methodology guides: 52; preservation order, recommended tool paths, honest limits, links back to each proof page.
reference investigations: 55; replayable synthetic cases with published goldens and downloadable evidence.
quick-start checklists: 52; printable first-10-minutes sheets for live incidents.
fixture packs: 55; 55 with full on-disk goldens for ci replay + tool qa.
comparison pairs: 43; side-by-side disambiguation for case types people commonly confuse.

how it works · the contract

01open a tool in your browser — no signup, no email, nothing.
02drop a file. processing runs locally — wasm, web workers, canvas, web audio, web crypto. file bytes never get sent anywhere.
03outputs are deterministic. for graded tools, the same input on the same machine produces the same sha-256 every run.
04open devtools → network tab. drop a file. watch nothing leave your machine. that is the contract.

no accounts. no tracking. no analytics that fingerprint a session. no remote llm calls on user inputs unless a tool says so explicitly and you opt in.

case sessions · hash-anchored analysis record

investigations are not just one tool run. the session manager captures every tool and stack run into a local case file — input sha-256 digests, output hashes, tool version, build sha, timestamps in utc, and an append-only custody log.

export a .fc-case zip with manifest.sha256 tamper check and optional ed25519 signing
one-click export package: case archive + exhibit html + reproducibility report + examiner declaration draft
push findings into your existing stack — magnet axiom csv (ucag-ready), stix 2.1, misp event, universal csv, or autopsy 4.x via the import module
replay reference investigations at /forensics/proof against published goldens — same engines, verifiable outputs

this is analysis-phase recordkeeping — not live-device imaging. pair sessions with your lab's upstream acquisition workflow. verify exports at /forensics/verify; external reviewer path at /forensics/reviewer-kit. scope boundaries at /forensics/scope; standards mapping at /forensics/standards.

how it is graded

every forensic tool is scored on a public five-axis rubric (accuracy, honesty, replayability, court-readiness, and surface fit). b-minimum to ship, a target. the grade lives next to the tool name.

/forensics/rubric — the rubric itself, plus how each axis is scored.
/forensics/quality — live quality dashboard: how many tools at each grade, where the gaps are, what is being worked on.
/forensics/standards — honest alignment status with swgde · nist · iso/iec · acpo · enfsi · rfc 3227 · daubert · frye · osac · astm e2916.

honest limits

fatcousin forensics is local triage — not collection-stage chain-of-custody software (no write-block imaging), not a siem, not an edr, not a managed incident response service, and not a replacement for cellebrite, axiom, encase, magnet, or velociraptor. it does ship hash-anchored case sessions for the analysis phase — see above.

read the full boundary list at /forensics/scope.

who runs it

fatcousin labs inc. — ontario, canada. operator-funded, ad-free, no investors with seats at the data table. contact labs@fatcousin.com for press, partnerships, security disclosure, or legal questions.

the operating principle — why local-first, why no accounts, why nothing uploads — lives at /manifesto.

forensics home →coverage map →what we are not →grading rubric →quality dashboard →standards alignment →