fatcousin
// industry vertical

ransomware / leak site forensics

negotiation chat logs · victim portals · double-extortion leak posts · onion service metadata · ransom note clustering · staging timeline correlation · affiliate rebrand detection · payment channel traces · Tor callbacks · exfil manifests.

tools
12
priority
H
processing
local · in browser

start here · primary tools

ordered. work top-down. the first tool is the suggested entry point for this vertical.

  1. ransomware negotiation chat log forensic analyzerdrop negotiation chat export · parse actor aliases + demands + deadline shifts · runs locally
  2. double extortion leak site post forensic analyzerdrop leak site post html/json export · parse victim name + file tree + countdown · runs locally
  3. ransomware initial access staging timeline correlatordrop edr + portal + note exports · correlate staging → encryption timeline · runs locally
  4. ransomware data exfil manifest forensic analyzerdrop exfil manifest csv/json · parse file counts + paths + upload batch timeline · runs locally
  5. case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally

also useful · secondary tools

cross-cutting tools that surface depending on the specific investigation.

  1. ransomware victim portal access log forensic analyzerdrop victim portal access log · parse login tokens + download attempts + ip hints · runs locally
  2. leak site onion service metadata forensic extractordrop onion service descriptor export · parse v3 address + intro points + cert hints · runs locally
  3. ransom note variant cluster forensic analyzerdrop ransom note text corpus · cluster variants + language + btc address reuse · runs locally
  4. ransomware group affiliate switch detectordrop negotiation + leak post exports · detect rebrand/affiliate handoff patterns · runs locally
  5. ransomware payment channel trace forensic analyzerdrop payment instructions export · parse btc/xmr/onion callback + amount drift · runs locally
  6. ransomware tor callback artifact forensic extractordrop tor hidden service callback log · parse session ids + user-agent + timing · runs locally
  7. evidence manifest generatordrop evidence files · compute md5 sha1 sha256 · chain of custody manifest · case number · analyst · export pdf and csv · runs locally

want deeper ransomware coverage?

this vertical is intentionally sparse — deep-moat coverage grows over time. tracked in the forensics rollout.

ready