fatcousin
// evidence type

mobile app package (apk / ipa)

sideloaded apk · enterprise ipa · app store backup extract. permissions, embedded urls, clone artifacts — stalkerware and fraud app triage.

tools
11
priority
M
processing
local · in browser

start here · primary tools

ordered. work top-down. the first tool is the suggested entry point for this evidence type.

  1. apk analyzerdrop an android apk · permissions · activities · services · manifest · certificates · embedded urls · strings · no disassembly · runs locally
  2. ios ipa analyzerdrop an ios ipa · info.plist · entitlements · permissions · url schemes · embedded frameworks · certificate hints · runs locally
  3. android apk permissions auditordrop an .apk · parse AndroidManifest.xml · list all declared permissions · flag dangerous permissions · detect unusual API combinations · runs locally
  4. android app cloner artifact forensic detectordrop Android packages.xml, filesystem listing, or logcat · detect app cloner framework installations · identify cloned app instances · surface dual-space and multi-account artifacts · detect usage of cloned messaging apps that may contain additional communication accounts · runs locally
  5. android encrypted vault app artifact detectordrop Android packages.xml, filesystem listing, or usage stats · detect installed or deleted encrypted vault and secret hiding apps · surface vault app usage evidence · identify content types stored in vaults (from metadata) · detect vault apps designed to disguise themselves as other apps · runs locally
  6. android anonymous messaging app artifact detectordrop Android packages.xml, usage stats, logcat, or filesystem listings · detect anonymous and untraceable messaging applications · surface usage evidence and residual artifacts · identify apps requiring no phone number or identity verification · assess anonymous communication footprint · runs locally
  7. android vpn app artifact forensic extractordrop Android VPN app database files, configuration files, or logcat output · parse VPN connection session logs, server configurations, and account artifacts · surface kill switch, obfuscation, and split tunnel settings · detect VPN usage gaps and anti-forensic patterns · runs locally
  8. android burner app artifact forensic detectordrop Android packages.xml, logcat, usage stats database, or filesystem listing · detect installed and previously deleted burner phone number and anonymous communication apps · surface usage timestamps and residual artifacts from deleted apps · identify patterns of ephemeral identity use · runs locally

also useful · secondary tools

supporting and follow-up tools. surface as the investigation widens.

  1. ios burner app artifact detectordrop iOS backup Manifest.db, ApplicationState.db, knowledgeC.db, or app listings · detect installed and previously deleted burner phone number and anonymous communication apps · surface usage timestamps and residual artifacts from deleted apps · identify ephemeral identity patterns · runs locally
  2. ios encrypted messaging app residue detectordrop iOS backup Manifest.db, knowledgeC.db, Screen Time database, DataUsage.sqlite, and keychain files · detect and quantify encrypted messaging app usage across all artifact sources · reconstruct scope of inaccessible encrypted communications · produce forensic gap assessment · runs locally
  3. case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally
ready