fatcousin
// case type

sextortion

extortion via real/fake intimate imagery. evidence is the threat channel + payment demand + (often) deepfake or scraped imagery.

tools
13
priority
H
processing
local · in browser

start here · primary tools

ordered. work top-down. the first tool is the suggested entry point for this case type.

  1. email header analyzerpaste raw email headers · trace hop-by-hop routing · SPF · DKIM · DMARC · detect spoofing · visualize delivery path · runs locally
  2. ios imessage deletion artifact detectordrop ios sms.db · rowid gaps · join orphans · deleted_messages tombstones · ck_sync_state=2 · two-db guid compare · bulk deletion · runs locally
  3. iOS WhatsApp artifact forensic extractordrop iOS WhatsApp ChatStorage.sqlite and Contacts.sqlite · parse all chats, messages, groups, and media references · reconstruct conversation timelines with delivery status · surface location shares, contact cards, and deleted message placeholders · runs locally
  4. android whatsapp database forensic analyzerdrop an Android WhatsApp msgstore.db · parse all messages, chats, groups, and media metadata · reconstruct conversation timelines · surface message delivery status, forwarding metadata, location shares, and contact cards · detect deleted message gaps · runs locally
  5. ai generated image provenance analyzerpng tEXt chunk inventory · sd metadata · stripped metadata flag · provenance csv · runs locally
  6. face swap artifact detectordrop an image · jawline color mismatch · compression boundary heuristics · face-region signal table · runs locally
  7. bitcoin transaction decoderpaste raw transaction hex · decode inputs outputs scripts · fees · locktime · segwit · p2pkh p2sh p2wpkh · runs locally
  8. crypto tx graphpaste json csv btc hex · directed graph · hub peel fan patterns · ascii viz · stats · csv json export · runs locally

also useful · secondary tools

supporting and follow-up tools. surface as the investigation widens.

  1. ela image tampering detectordrop a JPEG · error level analysis · detect localized re-compression · flag tampered regions · visualize ELA map · runs locally
  2. prnu fingerprinterjpeg png sensor noise · residual fingerprint · pearson correlation · heatmap viz · LIKELY DIFFERENT · CSV · runs locally
  3. url redirect chain tracerpaste shortened URLs · trace full redirect chain via proxy · detect malicious redirects · show final destination · flag suspicious hops · runs locally
  4. domain reputation analyzerpaste domains or IPs · score by entropy · TLD risk · homoglyph detection · DGA patterns · punycode abuse · age heuristics · no external lookup · runs locally
  5. case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally
// case-kit pipeline

run as a stack

skip the click-through. these presets are curated forensic pipelines you can save as a stack with one click and run on your evidence locally.

  • sextortion — image + payment IOC kit

    7 steps

    drop threat messages + suspect imagery → provenance + face-swap + stego → extract wallet/url IOCs → triage → report

    1. 01evidence-manifest-generatorhash messages + images before any analysis
    2. 02ai-generated-image-provenance-analyzerdetermine if imagery is likely AI-generated vs scraped authentic
    3. 03face-swap-artifact-detectorface-swap is the most common deepfake vector in sextortion cases
    4. 04image-stego-detectorcheck for hidden payloads embedded in the imagery itself
    5. 05ioc-extractorpull crypto wallets, payment URLs, and contact identifiers from message exports
    6. 06ioc-bulk-validatorscore payment-demand IOCs for escalation priority
    7. 07case-report-generatordraft a victim-advocate report linking imagery assessment to payment trail

  • sextortion — threat channel kit

    7 steps

    drop threat messages + payment exports → header parse → iMessage deletion artifacts → IOC extract → btc decode → tx graph → report

    1. 01evidence-manifest-generatorhash threat messages + payment exports before analysis
    2. 02email-header-analyzerparse email threat headers when the extortion came via email
    3. 03ios-imessage-deletion-artifact-detectordetect deleted iMessage threads — victims often delete out of panic
    4. 04ioc-extractorpull crypto wallets, payment URLs, and contact handles from message exports
    5. 05bitcoin-tx-decoderdecode any raw BTC tx hex the victim captured from the payment demand
    6. 06crypto-tx-graphbuild a transaction graph from decoded wallet addresses
    7. 07case-report-generatordraft a victim-advocate report linking the threat channel to payment infrastructure
// pattern-matched

related tools

tools that the manifest-classifier flagged as plausibly useful here but that aren't in the hand-curated lists above. less editorial weight — scan, don't work top-down.

+ 2 more in this pattern match. browse the full forensics catalog via the forensics category.

ready