// case type
mobile device triage (consent-based)
consensual scan of a phone for the basics — apps, messages, location, recent activity. small-org IT, lawyers, or DV advocates.
start here · primary tools
ordered. work top-down. the first tool is the suggested entry point for this case type.
- ios backup browserdrop an iTunes backup Manifest.db · list backed-up apps · files · domains · relative paths · export CSV · runs locally
- ios backup analyzerdrop an ios backup manifest · browse file structure · extract app data · databases · runs locally
- android backup analyzerdrop an android backup ab file · browse app data · extract databases · files · shared preferences · runs locally
- ios spotlight search artifact extractordrop ios spotlight sqlite or interactionc database · extract spotlight search queries · reconstruct what the user searched for on device · surface app launches via spotlight and searched contact names · runs locally
- ios screen time forensic analyzerdrop screen time sqlite from ios backup · app usage · website visits · pickup frequency · digital activity · alibi assessment · runs locally
- ios app install and uninstall timeline reconstructordrop manifest db applicationstate plists installd log · install uninstall upgrade timeline · mass uninstall alerts · runs locally
- android logcat analyzerdrop android logcat output · parse log levels · crash detection · anr · security exceptions · network activity · timeline · runs locally
- mobile location history extractordrop ios locations sqlite · google location json · csv gps · haversine stops · movement timeline · runs locally
also useful · secondary tools
supporting and follow-up tools. surface as the investigation widens.
- ios photos database forensic analyzerdrop photos.sqlite · metadata including deleted · location · hidden photos · creation timeline · runs locally
- ios notes complete forensic analyzerdrop notestore.sqlite · notes including deleted · locked metadata · attachments · sensitive content scan · runs locally
- ios call history parserdrop ios callhistory storedata sqlite · parse all call records · reconstruct call timeline · identify frequent contacts unknown numbers and voip calls · surface deleted call gap analysis · runs locally
- ios sms database parserdrop iOS backup SMS.db · threaded conversation view · timestamps · attachments · participants · export CSV · runs locally
- android sms database parserdrop Android mmssms.db · parse SMS and MMS threads · contacts · timestamps · export conversations as CSV · runs locally
- android call log parserdrop Android contacts2.db or calllog.db · parse incoming · outgoing · missed calls · contacts · duration · timestamps · export CSV · runs locally
- case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally
run as a stack
skip the click-through. these presets are curated forensic pipelines you can save as a stack with one click and run on your evidence locally.
mobile triage — consent-based kit
6 stepsdrop APK/IPA packages + location exports → app analysis → location history → unified timeline → report
- 01evidence-manifest-generatorhash every file before triage — consent-based cases still need integrity
- 02apk-analyzerandroid packages: permissions, dex strings, network security config
- 03ipa-analyzerios packages: entitlements, URL schemes, embedded frameworks
- 04mobile-location-history-extractorparse location history exports when provided alongside the app packages
- 05forensic-timeline-buildermerge timestamped events from all artifact bundles into one timeline
- 06case-report-generatordraft a plain-language triage summary for IT, counsel, or advocates