// case type
election integrity investigation
voter-roll tampering, e-pollbook artifacts, ballot-image chain of custody, election-night messaging spoofing, foreign-influence pattern surfacing.
start here · primary tools
ordered. work top-down. the first tool is the suggested entry point for this case type.
- email spoofing and SPF/DKIM/DMARC header validatorpaste raw email headers or drop eml file · validate authentication headers · detect spoofing indicators · surface spf dkim and dmarc results · identify header inconsistencies indicating spoofed or forged email · runs locally
- email impersonation pattern detectordrop multiple eml files or paste headers · detect display name spoofing domain lookalikes and reply-to hijacking · identify impersonation patterns targeting specific individuals or organizations · surface BEC and CEO fraud indicators · runs locally
- ai generated text fingerprint analyzerlinguistic metrics · burstiness · repetition · ai likelihood score · export csv · runs locally
- ai generated image provenance analyzerpng tEXt chunk inventory · sd metadata · stripped metadata flag · provenance csv · runs locally
- document metadata inconsistency finderdrop docx xlsx pptx pdf · core app props vs pdf info · temporal author revision heuristics · tracked changes timeline · runs locally
- metadata consistency checkerdrop a JPEG · PNG · or video · compare EXIF date vs file date vs filename date vs GPS timestamp · flag inconsistencies · dimension mismatches · runs locally
- ela image tampering detectordrop a JPEG · error level analysis · detect localized re-compression · flag tampered regions · visualize ELA map · runs locally
- copy-move forgery detectordrop an image · block-matching copy-move scan · suspicious region overlay · heuristic clone map · runs locally
also useful · secondary tools
supporting and follow-up tools. surface as the investigation widens.
- exif fixerdrop JPEGs with broken or missing EXIF · repair corrupt tags · rebuild missing timestamp from filename · batch redate · download fixed files · runs locally
- document metadata genealogy tracerdrop related documents · trace ancestor versions through metadata · revision counts · author chains · template references · printer fingerprints · reconstruct document family history · runs locally
- domain reputation analyzerpaste domains or IPs · score by entropy · TLD risk · homoglyph detection · DGA patterns · punycode abuse · age heuristics · no external lookup · runs locally
- url redirect chain tracerpaste shortened URLs · trace full redirect chain via proxy · detect malicious redirects · show final destination · flag suspicious hops · runs locally
- ioc extractordrop any file or paste text · extract indicators of compromise · ips · domains · urls · hashes · emails · cves · export stix · csv · runs locally
- osint normalizerpaste osint dump · extract emails phones ips crypto handles · disposable tor private heuristics · e.164 · five tabs · per-category csv · runs locally
- case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally
run as a stack
skip the click-through. these presets are curated forensic pipelines you can save as a stack with one click and run on your evidence locally.
election spoof / influence IOC sweep
6 stepsdrop suspect 'official' emails → header validate → pull IOCs → dedupe across sources → severity triage → report
- 01evidence-manifest-generatorpreserve raw .eml + screenshots so the chain holds up under election-contest scrutiny
- 02email-header-analyzervalidate SPF / DKIM / DMARC — most election spoof emails fail at least one
- 03ioc-extractorpull sender domains, look-alike URLs, IPs from the headers + bodies
- 04ioc-deduplicator-normalizermerge across the suspect message set — a single influence cluster usually shares 3-5 domains
- 05ioc-bulk-validator-and-triagescore; high-severity IOCs are the ones to escalate to CISA / state election officials
- 06case-report-generatordraft a report formatted for state-level cybersecurity intake