IPV tech vs stalkerware
subject reports their phone or computer is being monitored. case A is ipv-tech: the suspected actor is a current or former intimate partner, and the path centers safety planning, shared-account audit, paired-device review, and an advocate-aware handoff before any artifact-pull. case B is stalkerware-sweep: actor is unknown or non-intimate, and the path centers covert monitoring app detection on the device itself — accessibility/location/screen-capture permissions, sideload artifacts, iOS config profiles. wrong call sends someone to an artifact dump when they need a safety plan first — or routes a generic surveillance-app finding through advocate workflows that aren't needed.
primary tools · side by side
ordered entry points from the case-type taxonomy. highlighted rows appear in both case types' editorial tool lists.
intimate partner violence — tech trail
for DV advocates: documenting tech-based abuse — shared accounts, tracking, covert recording, social-media impersonation. evidence has to hold up for protective orders.
- 01ios location historydrop ios location sqlite databases · zrtvisit zannotation learned poi · apple absolute time · timeline · movement ascii · export csv · runs locally
- 02ios location history deep reconstructordrop ios backup databases · correlate significant locations · routined · coreduet · cache.sqlite · motion data · reconstruct complete movement history from all available ios location sources · runs locally
- 03android gps location history forensic extractordrop Android location databases, GNSS logs, fused location provider artifacts, or app location exports · parse GPS coordinates, timestamps, accuracy, altitude, speed, and provider metadata · reconstruct a chronological movement trail · flag high-confidence GPS fixes and suspicious location gaps · runs locally
- 04android google timeline artifact forensic extractordrop Google Timeline JSON, Takeout location history files, semantic location history exports, or Maps activity artifacts · parse places, visits, activity segments, coordinates, confidence values, and edit metadata · reconstruct Google-derived movement history · runs locally
- 05bluetooth pairing history forensic extractordrop iOS bluetooth plist · android bt_config.conf · logcat · CoD decode · pairing timeline · OUI lookup · runs locally
- 06wifi connection history forensic extractordrop iOS wifi plist · android WifiConfigStore · wpa_supplicant · SSID BSSID history · password artifacts · runs locally
- 07ios significant locations forensic extractordrop routined Cache.sqlite · parse significant places visits · home work inference · visit timeline · runs locally
- 08ios frequent locations artifact analyzerdrop routined cache · location clusters stay-points · commute patterns · anomaly detection · runs locally
stalkerware sweep (mobile)
covertly installed monitoring apps on a personal phone. iOS + android are very different surfaces: hidden config profiles + pairing records on iOS, sideloaded APKs + accessibility-abuse on android.
- 01apk analyzerdrop an android apk · permissions · activities · services · manifest · certificates · embedded urls · strings · no disassembly · runs locally
- 02android apk permissions auditordrop an .apk · parse AndroidManifest.xml · list all declared permissions · flag dangerous permissions · detect unusual API combinations · runs locally
- 03android anonymous messaging app artifact detectordrop Android packages.xml, usage stats, logcat, or filesystem listings · detect anonymous and untraceable messaging applications · surface usage evidence and residual artifacts · identify apps requiring no phone number or identity verification · assess anonymous communication footprint · runs locally
- 04android encrypted vault app artifact detectordrop Android packages.xml, filesystem listing, or usage stats · detect installed or deleted encrypted vault and secret hiding apps · surface vault app usage evidence · identify content types stored in vaults (from metadata) · detect vault apps designed to disguise themselves as other apps · runs locally
- 05android app cloner artifact forensic detectordrop Android packages.xml, filesystem listing, or logcat · detect app cloner framework installations · identify cloned app instances · surface dual-space and multi-account artifacts · detect usage of cloned messaging apps that may contain additional communication accounts · runs locally
- 06ios pairing record forensic analyzerdrop itunes lockdown pairing plist · parse device and host certificates · escrow bag detection · pairing age and trust implications · csv json export · runs locally
- 07ios jailbreak artifact detectordrop manifest db or path list · detect jailbreak indicators cydia sileo substrate · tool identification · removal hints · runs locally
- 08ios lockdown certificate artifact extractordrop pairing plist der or pem · decode x509 lockdown certs · chain validation · udid and host uuid · pem csv json export · runs locally
editorial overlap
lean toward…
disambiguation signals derived from case-type descriptions and common practitioner confusion points.
lean toward IPV tech if you see…
- current or former intimate partner named as the suspected monitoring source
- shared apple-ID, family-sharing, find-my, or google-account linkage still in place at intake
- paired-device or smart-home access (apple watch, alexa, ring) that survives the breakup or separation
- subject indicates physical-safety risk if the suspected actor learns about the forensic review
lean toward stalkerware if you see…
- actor unknown, employer, or non-intimate — no partner-relationship safety variable in intake
- covert app with accessibility / location / screen-capture permissions surfaced on-device
- iOS supervised configuration profile, lockdown pairing record, or unknown MDM enrollment artifact
- sideloaded android APK without play-store signature trail — sweep can proceed without advocate handoff first