fatcousin
// case type

pig butchering / long-con investment scam

weeks-to-months of chat grooming → fake crypto exchange → drained wallet. evidence spans messaging apps, crypto wallets, and screenshots.

tools
16
priority
H
processing
local · in browser

start here · primary tools

ordered. work top-down. the first tool is the suggested entry point for this case type.

  1. iOS WhatsApp artifact forensic extractordrop iOS WhatsApp ChatStorage.sqlite and Contacts.sqlite · parse all chats, messages, groups, and media references · reconstruct conversation timelines with delivery status · surface location shares, contact cards, and deleted message placeholders · runs locally
  2. android whatsapp database forensic analyzerdrop an Android WhatsApp msgstore.db · parse all messages, chats, groups, and media metadata · reconstruct conversation timelines · surface message delivery status, forwarding metadata, location shares, and contact cards · detect deleted message gaps · runs locally
  3. ios telegram artifact forensic extractordrop cache4.db or account db · parse chats messages channels · forwarding edits tombstones · disappearing timers · mid gap analysis · runs locally
  4. android telegram database forensic extractordrop Android Telegram database files · parse messages, chats, channels, and contacts · extract forwarding metadata, edit timestamps, and media references · surface disappearing message timer settings · detect deleted message ROWID gaps · reconstruct Telegram communication timeline · runs locally
  5. ios signal artifact forensic extractordrop signal.sqlite · parse conversations and messages · disappearing timers · view-once flags · draft messages · registered phone · rowid gaps · runs locally
  6. ethereum transaction decoderpaste raw ethereum transaction hex · rlp decode · from to value gas · erc20 calldata · runs locally
  7. bitcoin transaction decoderpaste raw transaction hex · decode inputs outputs scripts · fees · locktime · segwit · p2pkh p2sh p2wpkh · runs locally
  8. crypto tx graphpaste json csv btc hex · directed graph · hub peel fan patterns · ascii viz · stats · csv json export · runs locally

also useful · secondary tools

supporting and follow-up tools. surface as the investigation widens.

  1. crypto wallet classifierpaste any crypto address · identify blockchain · validate checksum · address type · derivation format · runs locally
  2. bitcoin address clusteringpaste or drop csv · extract btc addresses · common-input heuristic clustering · cluster table · export csv · runs locally
  3. cryptocurrency mixer and tumbler detectordrop bitcoin transaction csv · apply statistical analysis to detect mixing service patterns · equal output detection · timing patterns · coinjoin identification · peel chain vs mixed funds · estimate mixing confidence · runs locally
  4. ios dating app artifact forensic extractor (Tinder, Bumble, Hinge)drop iOS dating app database files (Tinder, Bumble, or Hinge) · auto-detect app · parse match records, messages, and profile metadata · surface match timestamps, screenshot alerts, and own location from account plist · detect confirmed real-world meetings (Hinge We Met) · runs locally
  5. domain reputation analyzerpaste domains or IPs · score by entropy · TLD risk · homoglyph detection · DGA patterns · punycode abuse · age heuristics · no external lookup · runs locally
  6. url redirect chain tracerpaste shortened URLs · trace full redirect chain via proxy · detect malicious redirects · show final destination · flag suspicious hops · runs locally
  7. ios screenshot burst forensic analyzerdrop photos.sqlite · screenshot detection · burst clustering · rapid capture flags · runs locally
  8. case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally
// case-kit pipeline

run as a stack

skip the click-through. these presets are curated forensic pipelines you can save as a stack with one click and run on your evidence locally.

  • pig butchering — loss reconstruction

    6 steps

    drop chat exports + crypto address screenshots → extract IOCs (wallets, domains, urls) → cross-platform correlate → draft loss report

    1. 01evidence-manifest-generatorhash chat exports + screenshots so the timeline of provided evidence is fixed
    2. 02ioc-extractorpull crypto wallets, fake-exchange domains, shortlink URLs from the message bodies
    3. 03ioc-deduplicator-normalizermerge across whatsapp + telegram + email exports — the same wallet usually appears in all three
    4. 04multi-artifact-correlatorsurface IOCs that span more than one chat channel — those are the load-bearing addresses / domains
    5. 05ioc-bulk-validator-and-triagescore the wallet + domain set; high-severity items are the ones to subpoena exchanges over
    6. 06case-report-generatordraft a victim-loss report with the wallet trail + exchange-of-record assertions

  • pig butchering — tx decode kit

    6 steps

    drop raw BTC/ETH tx hex exports → decode locally → tx graph → IOC extract → report

    1. 01evidence-manifest-generatorhash tx hex exports before decoding
    2. 02bitcoin-tx-decoderdecode legacy + segwit bitcoin transactions from raw hex
    3. 03ethereum-tx-decoderdecode typed + legacy ethereum transactions from raw hex
    4. 04crypto-tx-graphbuild a transaction graph from decoded address / value hints
    5. 05ioc-extractorpull wallet addresses and URLs from accompanying notes
    6. 06case-report-generatordraft a report linking decoded transactions to victim loss
// pattern-matched

related tools

tools that the manifest-classifier flagged as plausibly useful here but that aren't in the hand-curated lists above. less editorial weight — scan, don't work top-down.

ready