forensics changelog

shipped (8 milestones)

M15 in flight · M2 through M14 shipped — phase β reference investigations and the infrastructure around them. most recent first.

1. M15 · vendor L/M/N + compare + correlator + stubs2026-05-25

   in flight — vendor-fidelity batches L/M/N, two new compare pairs, cross-correlator secondary-list audit, and quick-start + evidence-library route stubs.

   • vendor-fidelity.audit.json batches L/M/N — +~150 audits in flight · 396 through M14 → ~546 target · 5G/telecom · SIEM/SOAR/AppSec · aviation/maritime/AIS
   • /forensics/compare — +2 curated pairs (8 → 10) · crypto-theft/pig-butchering · sextortion/cyberstalking
   • cross-correlator secondary-list audit — case-type secondaryToolSlugs correlators checked against fixture goldens · gaps queued for fill
   • /forensics/quick-start/[slug] stub — first-10-minutes sheets for ato + ransomware-response
   • /forensics/evidence-library index stub — fixture browse landing · links into the 36 proof scenarios
2. M12 · hub grouping + compare + vendor wave2026-05-24

   six-lane teaser grouping on the forensics hub, compare pages, vendor-fidelity batches E/F/G, methodology inline anchors, homepage tiles, and program cross-links.

   • /forensics hub — 6-lane teaser accordions grouped by coverage categories · 49 vertical hubs
   • /forensics/compare — 8 curated case-type pairs · side-by-side tool overlap · lean-toward guidance · bec/ato and more
   • vendor-fidelity.audit.json batches E/F/G — +147 audits filed · ~196 total through M12
   • methodology inline tool links on 35 case-type guides — anchored under the lede on /forensics/methodology/*
   • homepage coverage + changelog tiles in the forensics program section
   • hub program links — coverage · changelog · scope
3. M11 · coverage + neighbors + CI2026-05-24

   coverage map off the homepage wall, neighbor tools on forensic tool pages, check:flagship in CI, and vendor-fidelity audit expansion.

   • /forensics/coverage — six lanes · 49 vertical hubs · flagship case-type entry points
   • neighbor tools panel on every forensics tool page — 2–3 same-case-type primaries
   • CI job runs npm run check:flagship on every push/PR
   • vendor-fidelity.audit.json batch D — backup/DR · NGFW · IGA · HR/payroll/equity/mobility
   • primary-tool inline links on all 35 case-type methodology guides (under lede · before evidence sections)
4. M6 · cross-links2026-05-24

   the forensics surface is wired together — proof index, methodology→proof links, home teasers, and a shared trust footer on every guide.

   • /forensics/proof index — 36 reference investigations in one place
   • methodology articles link to their proof pages and fixture downloads
   • home page teasers surface flagship and scenario proofs
   • MethodologyTrustFooter on every /forensics/methodology/* route via shared layout
   • case-type playbook pages link to matching proof routes via proof-routes manifest
5. M5 · binders + proofs2026-05-24

   reference investigations you can replay locally — custom case-binder renderers for all five flagships, trust panel Phase β, and a proof page for every fixture scenario.

   • custom case-binder renderers for ransomware · bec · stalkerware-sweep · cloud-account-compromise · pig-butchering
   • trust panel Phase β — PerformanceObserver verification log on every /forensics/* route · open devtools, watch the network tab
   • 36 proof routes + index — published goldens · downloadable fixture packs · local binder exports
   • fixture download API at /api/forensics/fixtures/<slug>/evidence
   • npm run check:flagship — 280/280 goldens passing
6. M4 · 33 methodology guides2026-05-24

   case-type investigation guides — evidence preservation order, tool paths, honest limits, and fixture references. plus five flagship guides from M2.

   • 38 total guides — 33 case-type articles + 5 flagship playbooks
   • methodology index — grouped flagship + case-type guides with fixture slug links
   • each guide covers preserve → triage → analyze → correlate → report
   • safety and crisis-resource notes where the case type demands it (cyberstalking · sextortion · mobile-triage)
7. M3 · 36 fixture packs2026-05-24

   synthetic reference evidence for every case type — downloadable packs, deterministic goldens, no upload required.

   • 36 fixture scenarios across 33 case types — ato through election-integrity
   • fixture download API — drop a pack into any primary tool and replay the investigation locally
   • npm run check:flagship goldens for every scenario — engines prove what they claim on known inputs
   • includes sarah-android companion fixture for stalkerware-sweep iOS proof
8. M2 · 5 flagships2026-05-25

   full reference investigations — methodology article, proof page, published goldens, and custom case-binder export for each.

   • ransomware-response · proof
   • bec · proof
   • stalkerware-sweep · proof
   • cloud-account-compromise · proof
   • pig-butchering · proof

coming

in flight or queued — picked from the hit list when no flagship dispatch is open.

• vendor fidelity audits (post-M15). continued vendor-fidelity.audit.json after batches L/M/N — ~546 / ~3,963 forensic tools toward full fleet coverage. rebuild priority follows flagship → launch-tier → curated kit order.
• template rebuilds. vendor-native parsers for launch-tier primaries flagged template-misfit in audit JSON — coordinated rebuilds after audit coverage, not before.
• /forensics/compare expansion. additional curated pairs beyond the M15 target of 10 — evidence overlap matrices · confused-case-type guidance · links from methodology and case-type pages.
• /forensics/quick-start expansion. first-10-minutes sheets for remaining case types beyond the ato + ransomware-response stubs shipping in M15 — 35/35 methodology guides already inline-linked.
• /forensics/evidence-library. full fixture browse index beyond the M15 landing stub — filter by case type · evidence class · download links into all 36 proof scenarios.