// artifact family
misc gaps
30 browser-only forensics tools in this catalog group — browse by artifact family when you know the kind of evidence you are working with, not the investigation pattern.
tools in this family
ordered as in the forensics catalog. every tool runs locally — no upload, no account.
- lawful intercept pcap handover format parserdrop etsi ts 102 232 handover pcap · parse iri + cc records · runs locally
- stalker ware android presence detectordrop android app inventory + permissions · detect known stalkerware fingerprints · runs locally
- stalker ware ios presence detectordrop ios installed-app list + profile config · detect known stalkerware mdm patterns · runs locally
- device attestation mismatch detectordrop play integrity + ios devicecheck attestations · detect mismatch with claimed device identity · runs locally
- deeplink handler hijack detectordrop ios/android installed app list + url handlers · detect malicious deeplink takeover · runs locally
- app clip instant app artifact extractordrop ios app clip / android instant app cache · parse usage artifacts · runs locally
- android work profile vs personal correlation detectordrop android with work profile · detect crossings between profiles · runs locally
- ios screen time family sharing correlation detectordrop family sharing screen time export · attribute usage per family member · runs locally
- mdm jamf event forensic analyzerdrop jamf mdm event log · parse device + command + user events · runs locally
- mdm intune event forensic analyzerdrop microsoft intune event log · parse device + compliance + app deploy events · runs locally
- mdm workspaceone event forensic analyzerdrop workspace one event log · parse device events · runs locally
- mdm kandji event forensic analyzerdrop kandji event log · runs locally
- xprotect yara rule history forensic analyzerdrop macos xprotect.yara · parse rules added over time · runs locally
- macos system extension load history forensic analyzerdrop kext / sysex load history · parse loaded extensions + signers · runs locally
- macos tcc prompt history forensic analyzerdrop tcc tcc.db history · parse permission prompts + decisions · runs locally
- windows cdp cross device activity history forensic analyzerdrop windows cdp activitiescache.db · parse cross-device activities · runs locally
- android digital wellbeing usage stats forensic extractordrop digital wellbeing usage stats db · parse per-app usage stats · runs locally
- ios screen time knowledge c correlatordrop ios screen time db + knowledgec.db · correlate app usage + foreground events · runs locally
- router firmware config backup forensic analyzerdrop home router config backup (asus / netgear / tp-link / ubiquiti) · parse settings + pppoe credentials · runs locally
- router syslog forensic analyzerdrop home/business router syslog export · parse wan + lan + wireless events · runs locally
- pi hole query log forensic analyzerdrop pi-hole pihole.db · parse blocked + allowed dns queries per client · runs locally
- adguard home query log forensic analyzerdrop adguard home query log · parse per-client dns activity · runs locally
- tailscale acl and event log forensic analyzerdrop tailscale admin event log + acl · parse node + connection events · runs locally
- headscale event log forensic analyzerdrop headscale event log · parse node + key events · runs locally
- wireguard handshake pcap forensic analyzerdrop pcap with wireguard handshakes · parse handshake initiation + peer presence · runs locally
- openvpn server log forensic deep analyzerdrop openvpn server log + status file · parse client connect + bytes + cipher · runs locally
- mullvad vpn client log forensic analyzerdrop mullvad client log · parse connect + disconnect + tunnel state · runs locally
- proton vpn client log forensic analyzerdrop proton vpn client log · parse connect + tunnel state · runs locally
- nordvpn client log forensic analyzerdrop nordvpn client log · runs locally
- expressvpn client log forensic analyzerdrop expressvpn client log · runs locally