// case type
smart home compromise
unauthorized access to camera / lock / voice-assistant. who was added, when, from where; was the cloud account reused.
start here · primary tools
ordered. work top-down. the first tool is the suggested entry point for this case type.
- alexa voice history forensic extractordrop alexa activity json csv or zip export · categorize voice commands · build timeline · infer usage presence windows · csv json export · runs locally
- google home artifact forensic analyzerdrop assistant my activity exports json html or zip · categorize cast speaker routines · device phrase inventory · timeline csv json · runs locally
- homekit accessory forensic analyzerdrop home backup zip or plist files · scenes triggers automation accessories · surface geofence lat lon · plist runs locally · csv json export
- ring camera artifact forensic extractordrop ring exported json csv or zip timelines · ding motion alarm ingest classification · utc hour occupancy heuristic · csv json export · runs locally
- nest camera forensic analyzerdrop nest google takeout json csv zip fragments · postal_code extraction · familiar visitor labels · activity zone inventory · csv json export · runs locally
- smart lock access forensic analyzeraugust/schlage csv · code slot NAMES · unlock→lock sessions · late-night anomalies · attributable keypad access · csv/json export · runs locally
- smart thermostat timeline analyzernest json · ecobee csv · generic mode csv · away/home cues · vacation windows · utc routine bands · corroborative occupancy · csv/json export · runs locally
- smart tv artifact forensic extractorsamsung lg json walks · viewing · apps · search · account linkage cues · heuristic timeline · csv/json export · runs locally
also useful · secondary tools
supporting and follow-up tools. surface as the investigation widens.
- home assistant forensic analyzerhome-assistant recorder sqlite + configuration.yaml · chain context_id across states/events · person/device_tracker presence timeline · automation + call_service timelines · exposes home gps from yaml · csv+json export · runs locally
- zigbee network forensic analyzerzigbee2mqtt logs · devices yaml · MQTT publish excerpts · reconstruct friendly ieee map · heuristic topic inventory · csv+json export · runs locally
- iot firmware forensic extractorphase1 magic signature scan · phase2 streaming ascii strings urls credentials pem-ish · phase3 uimage + squash metadata surface · heuristic · no filesystem mount · csv+json export · runs locally
- case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally
run as a stack
skip the click-through. these presets are curated forensic pipelines you can save as a stack with one click and run on your evidence locally.
smart home — access audit
9 stepsdrop Alexa / Google Home / Ring / Nest / lock / HA exports → unified timeline → report
- 01evidence-manifest-generatorhash every smart-home export before parsing
- 02alexa-voice-history-forensic-extractorAlexa voice history + smart-home command log
- 03google-home-artifact-forensic-analyzerGoogle Home / Nest artifact parsing
- 04ring-camera-artifact-forensic-extractorRing camera access + sharing event log
- 05nest-camera-forensic-analyzerNest camera timeline + account sharing events
- 06smart-lock-access-forensic-analyzersmart lock access log — who entered and when
- 07home-assistant-forensic-analyzerHome Assistant log if the victim runs local automation
- 08forensic-timeline-buildermerge all device events into one cross-vendor timeline
- 09case-report-generatordraft a report identifying unauthorized access windows + added accounts