// evidence type

jwt / oauth token artifact

bearer jwt from logs · browser storage export · k8s secret yaml. decode claims, timeline exp/iat, test algorithm confusion — common in api and cloud ATO.

tools: 11
priority: M
processing: local · in browser

start here · primary tools

ordered. work top-down. the first tool is the suggested entry point for this evidence type.

jwt attack surface analyzeralg none · rs256→hs256 confusion · weak algorithms · claims analysis · jku kid risks · runs locally
jwt timeline viewerpaste one or more JWTs · decode header and payload · visualize iat · exp · nbf on timeline · detect expired · forged · or overlapping tokens · runs locally
jwt bruteforcerpaste jwt + wordlist · webcrypto hmac-sha256 verify · batched attempts · progress rate · investigative use warning · runs locally
localstorage / sessionstorage parserpaste or drop a browser storage JSON export · parse keys · values · detect auth tokens · JWTs · PII · runs locally
kubernetes secrets decoderpaste secret yaml or json · decode base64 · credential hints · redact toggle · runs locally · keys stay in browser
credential artifact scannerdrop a memory dump · scan for plaintext credentials · NTLM hashes · OAuth tokens · API keys · session cookies · Base64 secrets · export CSV · runs locally
token privilege abuse and manipulation detectordrop security evtx csv · detect token privilege abuse for privilege escalation or anti-forensic purposes · identify sebackupprivilege and serestoreprivilege abuse accessing restricted files · surface token manipulation events · runs locally
github audit log analyzerdrop github enterprise audit log json or csv export · parse repository and organization events · surface suspicious access patterns force pushes secret scanning alerts and member changes · reconstruct git activity timeline · runs locally

also useful · secondary tools

supporting and follow-up tools. surface as the investigation widens.