fatcousin
// case type

lost or stolen device

post-recovery triage: what did the finder do, what was accessed, was the device wiped or imaged.

tools
12
priority
L
processing
local · in browser

start here · primary tools

ordered. work top-down. the first tool is the suggested entry point for this case type.

  1. ios pairing record forensic analyzerdrop itunes lockdown pairing plist · parse device and host certificates · escrow bag detection · pairing age and trust implications · csv json export · runs locally
  2. mobile device pairing record analyzerdrop ios lockdown pairing plist or android adb key files · parse device pairing credentials · identify which computers have been paired with the device · surface pairing timestamps and certificate details · runs locally
  3. ios jailbreak artifact detectordrop manifest db or path list · detect jailbreak indicators cydia sileo substrate · tool identification · removal hints · runs locally
  4. mobile factory reset evidence artifact detectordrop iOS backup Info.plist / Status.plist or Android recovery logs, getprop output, and filesystem listings · detect artifacts indicating a factory reset occurred · distinguish first-time setup from post-reset setup · surface data remnants that survived the reset · assess completeness of the wipe · runs locally
  5. mobile remote wipe artifact detectordrop iOS backup files, MDM enrollment plists, or Android DevicePolicyManager logs and logcat output · detect evidence of remote wipe commands being issued or executed · identify the wipe initiator (MDM, Find My iPhone, Google Find My Device, Samsung Find My Mobile) · surface wipe timing and scope · assess whether wipe was completed or interrupted · runs locally
  6. android factory reset artifact detectordrop recovery logs logcat getprop or path listings · detect factory reset evidence · recovery wipe timeline · mdm remote wipe · boot count · runs locally
  7. ios app install and uninstall timeline reconstructordrop manifest db applicationstate plists installd log · install uninstall upgrade timeline · mass uninstall alerts · runs locally
  8. unified login session reconstructordrop 4624 evtx · rdp logs · vpn logs · ssh logs · browser cookie databases · srum csv · build one unified session per user per day across all authentication sources · identify gaps · flag impossible sessions · runs locally

also useful · secondary tools

supporting and follow-up tools. surface as the investigation widens.

  1. mobile passcode change burst artifact detectordrop iOS logs plists or Android logcat and locksettings database · detect passcode change events · surface credential type changes · identify passcode change bursts · assess complexity weakening · runs locally
  2. mobile biometric change artifact detectordrop unified log · biometrickitd plist · android logcat · enrollment delete bursts · pre-acquisition significance · runs locally
  3. mobile find my disable artifact detectordrop iCloud find my plists · unified log · android logcat · disable timeline · anti-forensic correlation · runs locally
  4. case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally
// case-kit pipeline

run as a stack

skip the click-through. these presets are curated forensic pipelines you can save as a stack with one click and run on your evidence locally.

  • lost device — recovery triage

    8 steps

    drop pairing records + reset/wipe artifacts → timeline of finder activity → report

    1. 01evidence-manifest-generatorhash device exports before triage
    2. 02ios-pairing-record-forensic-analyzeriOS pairing records — who connected while the device was missing
    3. 03mobile-device-pairing-record-analyzercross-platform pairing record analysis
    4. 04mobile-factory-reset-evidence-artifact-detectordetect factory reset performed while device was out of owner's possession
    5. 05mobile-remote-wipe-artifact-detectordetect remote wipe commands during the loss window
    6. 06mobile-find-my-disable-artifact-detectordetect Find My disable — common finder anti-tracking step
    7. 07forensic-timeline-buildermerge all device events into one timeline of finder activity
    8. 08case-report-generatordraft a report documenting what happened to the device while missing
// pattern-matched

related tools

tools that the manifest-classifier flagged as plausibly useful here but that aren't in the hand-curated lists above. less editorial weight — scan, don't work top-down.

ready