examiner workflow
fatcousin is not collection-stage chain-of-custody software. it does ship a hash-anchored analysis-phase session custody log: SHA-256 on inputs and outputs, append-only custody events, .fc-case export with manifest.sha256, optional Ed25519 signing, examiner declaration draft, and interop exports. designed to support examiner testimony and counsel review — requires upstream acquisition, independent verification, and qualified legal advice.
analysis-phase lifecycle
fatcousin sits after validated acquisition — on the examiner workstation, before counsel receives export artifacts. this page owns who does what; standard-by-standard mapping lives on /forensics/standards.
upstream acquisition (FTK / Cellebrite / AXIOM / lab SOP) → artifacts on examiner workstation → fatcousin triage (tools + stacks, local only) → case session (custody log captures runs) → export package (.fc-case + exhibit + repro + declaration draft) → interop (AXIOM CSV / STIX / MISP / Autopsy) OR handoff to counsel → counsel / opposing expert verifies (import .fc-case + hash check + optional golden replay)
roles
| role | primary responsibility | key artifacts |
|---|---|---|
| examiner | validates upstream acquisition, runs local triage tools, attaches runs to a case session, exports the package and interop formats, drafts declaration language for counsel review | .fc-case archive (lead file), exhibit html, reproducibility report, declaration .txt, optional STIX/MISP/AXIOM/Autopsy exports |
| counsel | reviews exported session artifacts, adapts declaration draft, decides what to file or disclose, coordinates authentication arguments with qualified legal advice | hash-checked .fc-case, declaration draft, methodology references, scope and standards pages for honest limits |
| opposing expert | independently verifies manifest sidecar, optional Ed25519 signatures, custody log events, and tool engine behavior via golden replay where applicable | imported .fc-case at /forensics/sessions, manifest.sha256 sidecar, reproducibility receipts, proof scenarios for engine verification |
per-step · what fatcousin does and does not
1 · upstream acquisition
fatcousin does
- documents that analysis assumes artifacts were collected under your lab's validated workflow
- accepts exports, disk images, logs, and mobile extractions you already possess
fatcousin does not
- write-block imaging, live-device acquisition, or sealed-bag custody at collection
- replace FTK, Cellebrite, AXIOM, EnCase, or Magnet as vendor-of-record platforms
2 · artifacts on examiner workstation
fatcousin does
- process files entirely in the browser — nothing is uploaded to the operator
- compute SHA-256 digests on inputs and outputs before logging to a session
fatcousin does not
- store evidence on fatcousin servers or retain copies after the tab closes
- assert that pre-session local files were tamper-evident before import
3 · fatcousin triage
fatcousin does
- run 4,000+ local parsers, stack pipelines, and case-type playbooks from /forensics/methodology
- attach each run to a session with tool slug, semver, build SHA, and reproducibility receipt
fatcousin does not
- correlate at enterprise SIEM scale or maintain 90-day centralized retention
- name operators, predict court outcomes, or provide legal advice
4 · case session · analysis-phase custody log
fatcousin does
- append-only custody events (twelve kinds) — corrections are new events, not in-place edits
- capture session-created, run-added, export, import, note, and signing events locally
- optional Ed25519 signing over custody log payload + manifest bytes at export
fatcousin does not
- link events with prev-hash — this is not a blockchain-style hash chain
- guarantee WORM storage while the session is still open in mutable localStorage
5 · export package · four separate downloads
fatcousin does
- download .fc-case (zip: manifest.json, manifest.sha256, custody log, optional signature.json, README.md)
- download exhibit html, reproducibility report, and examiner declaration draft (.txt)
- lead counsel verification with the .fc-case — hash-check manifest.sha256 first
fatcousin does not
- bundle all four artifacts into one zip — they are sequential separate downloads
- ship a filed affidavit — the declaration is a draft for counsel to adapt
6 · interop or counsel handoff
fatcousin does
- emit AXIOM CSV, STIX 2.1, MISP event JSON, universal findings CSV, and Autopsy ingest module from the same session
- anchor interop exports to custody-log SHA-256 for traceability back to the source session
fatcousin does not
- assert that STIX/MISP observables are active blocking intel — MISP attributes ship with to_ids: false
- substitute interop files for the .fc-case when integrity verification is required
7 · counsel / opposing expert verification
fatcousin does
- import .fc-case at /forensics/sessions to verify manifest.sha256 sidecar and optional signatures
- replay proof scenarios at /forensics/proof to validate engine behavior against committed goldens
- cite session exports using templates at /forensics/cite
fatcousin does not
- require trusting the website UI alone — verification steps are documented at /forensics/verify
- claim court compliance, admissibility, or certification — those are per case, judge, and jurisdiction
related surfaces
follow case-type evidence order and tool paths in the methodology playbooks. replay committed fixture investigations at /forensics/proof. verify an exported session at /forensics/verify. cite tools, sessions, and interop bundles at /forensics/cite. honest capability boundaries: scope · record-h.