fatcousin
// case type

journalist source protection

press-source handling: verify journalist + source comms weren't compromised before/after a sensitive story. evidence is E2EE app artifacts · SIM swap · OAuth grants · Google takeout — not corporate ethics hotline exports (see whistleblower-retaliation).

tools
15
priority
H
processing
local · in browser
// start here

entry point: ios signal artifact forensic extractor. work the primary tools top-down — all local, no upload.

run this kit →

start here · primary tools

ordered. work top-down. the first tool is the suggested entry point for this case type.

  1. ios signal artifact forensic extractordrop signal.sqlite · parse conversations and messages · disappearing timers · view-once flags · draft messages · registered phone · rowid gaps · runs locally
  2. android signal database forensic extractordrop Android Signal database files (signal.db or backup files) · parse conversations, messages, and attachment metadata · extract disappearing message settings, contact identifiers, and draft messages · surface registered phone number from database · detect deleted message gaps · runs locally
  3. signal desktop artifact forensic extractordrop signal desktop %APPDATA%Signal · parse encrypted leveldb config + sql.sqlite (key-derived) · surface conversation + attachment metadata · runs locally
  4. sim swap artifact forensic detectordetect evidence of SIM swapping across devices, carriers, or subscriber records · runs locally
  5. google account activity export forensic deep analyzerdrop google takeout 'my activity' html/json · parse per-product activity timeline · flag credential recovery access events · csv/json export · runs locally
  6. casb oauth token abuse detectordrop casb oauth grant export · detect excessive scope grants · runs locally
  7. google takeout archive forensic parserdrop google takeout zip or individual takeout json csv html files · parse account activity across all google services · reconstruct location history search history youtube watch history gmail metadata and drive activity · surface forensic timeline across all google products · runs locally

also useful · secondary tools

supporting and follow-up tools. surface as the investigation widens.

  1. threema android artifact forensic extractordrop threema android dataDir · parse messages.db (encrypted) + contacts · runs locally
  2. wire artifact forensic extractordrop wire desktop client data dir · parse e2ee message metadata + conversation list · runs locally
  3. proton vpn client log forensic analyzerdrop proton vpn client log · parse connect + tunnel state · runs locally
  4. unified login session reconstructordrop 4624 evtx · rdp logs · vpn logs · ssh logs · browser cookie databases · srum csv · build one unified session per user per day across all authentication sources · identify gaps · flag impossible sessions · runs locally
  5. saas overprivileged oauth scope detectordrop saas oauth grant export · detect excessive oauth scopes · runs locally
  6. fatcousin multi tool super timeline correlatordrop any fatcousin findings csv/json · unified timestamp-sorted timeline · runs locally
  7. fatcousin cross export ioc hash correlatordrop hash/ioc csv from any fatcousin tool · shared indicator intersection report · runs locally
  8. case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally
// reference

proof & methodology

synthetic reference investigations and investigation playbooks for this case type — fixture-locked goldens, local binders, evidence order, and tool paths.

investigation guide: journalist source protection — methodology

side-by-side: compare case types →

run as a case-kit pipeline

no curated stack for this case type yet. tracked in the forensics rollout — pipelines roll out one case type at a time.

ready