methodology index

encryption onset → lateral movement → exfil → ransom note. the first 48 hours are about scoping, finding patient-zero, and preserving evidence before the actor wipes logs.

fixture: ransomware-acme-corp proof → inline tool links

vendor impersonation · payroll redirect · wire fraud · spoofed reply chains. evidence is almost always email headers, mailbox rules, and login telemetry.

fixture: bec-sterling proof → inline tool links

covertly installed monitoring apps on a personal phone. iOS + android are very different surfaces: hidden config profiles + pairing records on iOS, sideloaded APKs + accessibility-abuse on android.

fixtures: sarah-android sarah-ios proof → proof → inline tool links

tenant-level intrusion — OAuth grants, app consent abuse, mailbox rule planting, exchange transport rule tampering.

fixture: hartmann-cloud-compromise proof → inline tool links

weeks-to-months of chat grooming → fake crypto exchange → drained wallet. evidence spans messaging apps, crypto wallets, and screenshots.

fixture: miranda-pig-butchering proof → inline tool links

credential stuffing → SIM swap → password reset chain → exfil. evidence lives in identity-provider logs, mailbox rules, and session artifacts.

fixture: meridian-ato proof → inline tool links

is this image / text / code AI-generated? content-provenance, model fingerprinting, prompt-history reconstruction.

fixture: chen-ai-content-dispute proof → inline tool links

leaked credential in git history → cloud abuse window → cost-spike + lateral movement. correlate VCS + CSP audit logs.

fixture: novak-api-key-leak proof → inline tool links

approve-for-all phishing, sweeper bots, malicious dapps, drained hot wallets. evidence is a tx graph + the malicious contract bytecode + browser history.

fixture: voss-wallet-drain proof → inline tool links

unauthorized miner on endpoint / cloud workload — CPU/GPU baseline drift + persistence + outbound pool traffic.

fixture: vega-cryptojacking proof → inline tool links

broader than stalkerware-app: social-graph harassment, doxing, multi-account impersonation, location-leak surfaces.

fixture: ellis-cyberstalking proof → inline tool links

post-event scoping of a volumetric / app-layer attack. evidence is pcap, flow, edge logs, and the botnet fingerprint.

fixture: ashford-ddos-investigation proof → inline tool links

face-swap, voice-clone, identity-impersonation. PRNU + GAN fingerprint + ELA + lip-sync + audio splice.

fixture: arias-deepfake-investigation proof → inline tool links

last-day endpoint snapshot: deletions, USB attach, cloud sync bursts, sabotage indicators (scheduled tasks, hidden accounts).

fixture: park-disgruntled-exit proof → inline tool links

is this PDF / docx genuine? revision history, metadata genealogy, ghost text, embedded objects, signature chains.

fixture: thorne-document-forgery proof → inline tool links

voter-roll tampering, e-pollbook artifacts, ballot-image chain of custody, election-night messaging spoofing, foreign-influence pattern surfacing.

fixture: grant-election-integrity proof → inline tool links

Carta · Shareworks · Pulley cap-table exports. unauthorized grant changes · 409A manipulation · vesting backdates · exercise-to-payroll correlation.

fixture: quinn-equity-grant-audit proof → inline tool links

Topia · Cartus · Graebel assignment exports. unauthorized assignment changes · tax equalization abuse · relocation cost inflation · payroll reimbursement cross-check.

fixture: lyons-global-mobility-audit proof → inline tool links

PHI exposure, EHR audit gap, DICOM exfil, HIPAA notification scoping. very specific evidence demands.

fixture: fischer-healthcare-breach proof → inline tool links

Workday · SAP SuccessFactors · Oracle HCM · BambooHR audit exports. unauthorized record changes · provisioning lag · headcount drift · cross-system timeline reconstruction.

fixture: vance-hr-platform-audit proof → inline tool links

departing employee, IP theft, USB exfil, cloud-share leak. evidence patterns: access-anomaly + peer-comparison + after-hours activity.

fixture: kline-insider-exfil proof → inline tool links

for DV advocates: documenting tech-based abuse — shared accounts, tracking, covert recording, social-media impersonation. evidence has to hold up for protective orders.

fixture: brooks-ipv-tech proof → inline tool links

fraudulent invoice + bank-detail-change request. tightly coupled to BEC but specifically about the paid-invoice artifact and approval chain.

fixture: cole-invoice-fraud proof → inline tool links

post-recovery triage: what did the finder do, what was accessed, was the device wiped or imaged.

fixture: walsh-lost-stolen-device proof → inline tool links

consensual scan of a phone for the basics — apps, messages, location, recent activity. small-org IT, lawyers, or DV advocates.

fixture: rivera-mobile-triage proof → inline tool links

unauthorized direct deposit changes · ghost employees · overtime inflation · payroll adjustment after termination. evidence is ADP/Workday/UKG payroll audit exports + HCM headcount cross-checks.

fixture: brennan-payroll-fraud proof → inline tool links

scope a campaign across a victim org — IOC extraction, kit fingerprinting, infrastructure pivoting.

fixture: northwind-phishing-campaign proof → inline tool links

dating-app introduction → emotional manipulation → money request. evidence is profile screenshots, message archives, payment trails.

fixture: foster-romance-scam proof → inline tool links

extortion via real/fake intimate imagery. evidence is the threat channel + payment demand + (often) deepfake or scraped imagery.

fixture: hayes-sextortion proof → inline tool links

unauthorized access to camera / lock / voice-assistant. who was added, when, from where; was the cloud account reused.

fixture: reed-smart-home-compromise proof → inline tool links

package compromise, build-system intrusion, signed-update poisoning. needs SBOM + dependency + build artifact analysis.

fixture: helix-supply-chain-compromise proof → inline tool links

pop-up → call center → remote-access install → gift-card / wire payout. evidence is RDP / RMM tooling and the call recording / payment.

fixture: grayson-tech-support-scam proof → inline tool links

exiting employee took the source/customer list/CAD. preserve USB attach times, cloud-sync, print, and email-out evidence.

fixture: hughes-trade-secret-theft proof → inline tool links

ethics hotline report followed by adverse employment action. evidence spans Navex/EthicsPoint/Allvoices exports + HCM termination/promotion logs + HRSD case files.

fixture: morgan-whistleblower-retaliation proof → inline tool links

HR-grade preservation of slack/teams/email evidence with chain-of-custody, redactions, and timeline rebuilds.

fixture: parker-workplace-harassment proof → inline tool links