// case type
online doxxing (post-event triage)
PII already published — paste sites, social posts, republish chains. post-event triage: scope exposure, trace author + platform, preserve for takedown and safety planning.
// start here
entry point: doxxing victim investigation kit. work the primary tools top-down — all local, no upload.
start here · primary tools
ordered. work top-down. the first tool is the suggested entry point for this case type.
- doxxing victim investigation kitdrop social posts + pii exposure logs + threat messages · build victim safety report · runs locally
- osint normalizerpaste osint dump · extract emails phones ips crypto handles · disposable tor private heuristics · e.164 · five tabs · per-category csv · runs locally
- multi-source entity resolverdrop forensic csvs · resolve names emails usernames ips across sources · probabilistic entity profiles · runs locally
- investigation knowledge graph builderdrop forensic csv exports · extract entities and relationships · knowledge graph visualization · hub and path analysis · runs locally
- domain reputation analyzerpaste domains or IPs · score by entropy · TLD risk · homoglyph detection · DGA patterns · punycode abuse · age heuristics · no external lookup · runs locally
- ioc extractordrop any file or paste text · extract indicators of compromise · ips · domains · urls · hashes · emails · cves · export stix · csv · runs locally
- url redirect chain tracerpaste shortened URLs · trace full redirect chain via proxy · detect malicious redirects · show final destination · flag suspicious hops · runs locally
- ai chatbot multi-account correlation analyzercorrelate AI chatbot accounts, sessions, and devices across platforms · detect multi-account usage, shared devices, account switching · runs locally
also useful · secondary tools
supporting and follow-up tools. surface as the investigation widens.
- natural language writing sample authorship comparatordrop multiple text files or paste writing samples · compute 40 plus stylometric features · sentence length distribution · vocabulary richness · function word frequencies · punctuation patterns · produce similarity score with confidence intervals between samples · runs locally
- email impersonation pattern detectordrop multiple eml files or paste headers · detect display name spoofing domain lookalikes and reply-to hijacking · identify impersonation patterns targeting specific individuals or organizations · surface BEC and CEO fraud indicators · runs locally
- online defamation harassment litigation kitdrop social posts + dm exports + platform takedown logs · defamation evidence package · runs locally
- swatting call attribution kitdrop 911 call metadata + spoof logs + gaming chat · build swatting attribution report · runs locally
- passive dns resolution history forensic analyzerdrop passive dns export · parse rrset timeline + first/last seen · runs locally
- sextortion takedown notice package generatordrop incident evidence · output platform-specific takedown notice templates · runs locally
- ela image tampering detectordrop a JPEG · error level analysis · detect localized re-compression · flag tampered regions · visualize ELA map · runs locally
- fatcousin multi tool super timeline correlatordrop any fatcousin findings csv/json · unified timestamp-sorted timeline · runs locally
- fatcousin cross export ioc hash correlatordrop hash/ioc csv from any fatcousin tool · shared indicator intersection report · runs locally
- case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally
proof & methodology
synthetic reference investigations and investigation playbooks for this case type — fixture-locked goldens, local binders, evidence order, and tool paths.
investigation guide: online doxxing (post-event triage) — methodology →
side-by-side: compare case types →
run as a case-kit pipeline
no curated stack for this case type yet. tracked in the forensics rollout — pipelines roll out one case type at a time.