fatcousin
// case type

stalkerware sweep (mobile)

covertly installed monitoring apps on a personal phone. iOS + android are very different surfaces: hidden config profiles + pairing records on iOS, sideloaded APKs + accessibility-abuse on android.

tools
16
priority
H
processing
local · in browser

start here · primary tools

ordered. work top-down. the first tool is the suggested entry point for this case type.

  1. apk analyzerdrop an android apk · permissions · activities · services · manifest · certificates · embedded urls · strings · no disassembly · runs locally
  2. android apk permissions auditordrop an .apk · parse AndroidManifest.xml · list all declared permissions · flag dangerous permissions · detect unusual API combinations · runs locally
  3. android anonymous messaging app artifact detectordrop Android packages.xml, usage stats, logcat, or filesystem listings · detect anonymous and untraceable messaging applications · surface usage evidence and residual artifacts · identify apps requiring no phone number or identity verification · assess anonymous communication footprint · runs locally
  4. android encrypted vault app artifact detectordrop Android packages.xml, filesystem listing, or usage stats · detect installed or deleted encrypted vault and secret hiding apps · surface vault app usage evidence · identify content types stored in vaults (from metadata) · detect vault apps designed to disguise themselves as other apps · runs locally
  5. android app cloner artifact forensic detectordrop Android packages.xml, filesystem listing, or logcat · detect app cloner framework installations · identify cloned app instances · surface dual-space and multi-account artifacts · detect usage of cloned messaging apps that may contain additional communication accounts · runs locally
  6. ios pairing record forensic analyzerdrop itunes lockdown pairing plist · parse device and host certificates · escrow bag detection · pairing age and trust implications · csv json export · runs locally
  7. ios jailbreak artifact detectordrop manifest db or path list · detect jailbreak indicators cydia sileo substrate · tool identification · removal hints · runs locally
  8. ios lockdown certificate artifact extractordrop pairing plist der or pem · decode x509 lockdown certs · chain validation · udid and host uuid · pem csv json export · runs locally

also useful · secondary tools

supporting and follow-up tools. surface as the investigation widens.

  1. ios burner app artifact detectordrop iOS backup Manifest.db, ApplicationState.db, knowledgeC.db, or app listings · detect installed and previously deleted burner phone number and anonymous communication apps · surface usage timestamps and residual artifacts from deleted apps · identify ephemeral identity patterns · runs locally
  2. ios encrypted messaging app residue detectordrop iOS backup Manifest.db, knowledgeC.db, Screen Time database, DataUsage.sqlite, and keychain files · detect and quantify encrypted messaging app usage across all artifact sources · reconstruct scope of inaccessible encrypted communications · produce forensic gap assessment · runs locally
  3. mobile device pairing record analyzerdrop ios lockdown pairing plist or android adb key files · parse device pairing credentials · identify which computers have been paired with the device · surface pairing timestamps and certificate details · runs locally
  4. mobile app sandbox artifact analyzerdrop ios app sandbox directory listing or android app data directory listing · identify forensically significant files within app sandboxes · map file types to forensic categories · surface databases caches preferences and logs within each app container · runs locally
  5. android vpn app artifact forensic extractordrop Android VPN app database files, configuration files, or logcat output · parse VPN connection session logs, server configurations, and account artifacts · surface kill switch, obfuscation, and split tunnel settings · detect VPN usage gaps and anti-forensic patterns · runs locally
  6. android burner app artifact forensic detectordrop Android packages.xml, logcat, usage stats database, or filesystem listing · detect installed and previously deleted burner phone number and anonymous communication apps · surface usage timestamps and residual artifacts from deleted apps · identify patterns of ephemeral identity use · runs locally
  7. ios ipa analyzerdrop an ios ipa · info.plist · entitlements · permissions · url schemes · embedded frameworks · certificate hints · runs locally
  8. case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally
// case-kit pipeline

run as a stack

skip the click-through. these presets are curated forensic pipelines you can save as a stack with one click and run on your evidence locally.

  • stalkerware sweep — multi-source correlator

    5 steps

    drop artifact bundles from multiple tools → correlate shared IOCs → draft case report

    1. 01evidence-manifest-generatorhash every bundle so the source set is reproducible
    2. 02ioc-deduplicator-normalizermerge + dedupe IOCs across all artifact bundles
    3. 03multi-artifact-correlatorsurface IOCs that appear in more than one bundle
    4. 04ioc-bulk-validator-and-triagetriage shared IOCs by severity
    5. 05case-report-generatordraft a report linking shared indicators to the suspect device

  • stalkerware — sideloaded app triage

    7 steps

    drop suspect APKs + IPAs → manifest / permission / entitlement analysis → correlate shared IOCs → draft sweep report

    1. 01evidence-manifest-generatorhash every package before disassembly — required if the app is later submitted as an exhibit
    2. 02apk-analyzerandroid sideloads: manifest, dangerous permissions, dex IOC strings, native .so scans
    3. 03android-permissions-auditorpermission-only pass — dangerous + signature-level APIs declared in manifest
    4. 04ipa-analyzerios sideloads / enterprise IPAs: Info.plist, entitlements, URL schemes, embedded frameworks
    5. 05ioc-extractorpull domains, IPs, and URLs from any accompanying notes or export text
    6. 06multi-artifact-correlatorsurface IOCs shared across the APK/IPA set and any prior artifact bundles
    7. 07case-report-generatordraft a report linking permission risk scores to the surveillance indicators found
// pattern-matched

related tools

tools that the manifest-classifier flagged as plausibly useful here but that aren't in the hand-curated lists above. less editorial weight — scan, don't work top-down.

+ 9 more in this pattern match. browse the full forensics catalog via the forensics category.

ready