cyberstalking — methodology

safety and preservation — before any of the path

cyberstalking cases often sit inside domestic violence, workplace retaliation, or post-breakup escalation. if you are supporting someone being targeted, start with safety planning and advocate intake — not OSINT scraping. this guide documents evidence preservation only; it is not counseling, advocacy, or legal advice. US crisis lines: 988 (suicide & crisis lifeline) · 1-800-799-7233 (national DV hotline). this case type is broader than stalkerware-app triage: the threat may live entirely off-device in burner accounts, AI chat sessions, and third-party platforms.

1. is the victim physically safe right now? online harassment can precede in-person contact — treat location leaks as safety data, not puzzle pieces.
2. will exporting AI chat logs, requesting platform data, or screenshotting posts notify the stalker? shared devices, shared Apple/Google accounts, and "login alert" emails can tip them off.
3. does the victim want a forensic record, a platform takedown, police involvement, or all three? each path has different risk — an advocate should help choose order, not a well-meaning friend with a CSV tool.
4. preserve without confronting. do not message the stalker, do not post "we know it's you," do not threaten legal action until safety planning says it is safe. confrontation often accelerates doxing.
5. document consent if you are not the victim — verbal permission is not enough for advocates and counsel. note who pulled what export, when, and from which account.
6. work on a workstation and accounts the stalker does not control. if the victim must keep using a compromised Google or iCloud login, assume timeline edits and login history are visible to the abuser.
7. if the victim needs to disappear from the stalker's view: safety reset (new accounts, new number) may be correct even when it destroys some evidence. respect that call.

what evidence exists and how fast it dies

the first 10 minutes

1. confirm the victim is safe and wants evidence preserved — if not, stop here and connect them to an advocate (988 · 1-800-799-7233).
2. record UTC timestamps for the first harassing contact, latest escalation, and any in-person incident tied to online threats.
3. screenshot or archive live posts with visible URL, account handle, and UTC clock — do not rely on memory after takedown.
4. export ChatGPT and Claude conversations if the victim used those accounts for drafts or threats received via shared links — save JSON read-only.
5. pull reddit / forum exports the victim or a mod can legally provide; note post IDs and permalinks in a separate index file.
6. copy any OSINT notes already collected (handles, emails, domains) into one folder — hash every file sha-256 before editing.
7. if location leak is in scope: export google timeline semantic JSON and timeline edits from an account the stalker does not control; pull iOS Cache.sqlite from backup if available.
8. list lookalike domains and phishing URLs in a plain text file — include full URL, first-seen date, and how the victim encountered them.
9. do not confront the stalker, do not post public accusations, do not email the harasser from the victim's account.
10. begin the path below on copies — not on live accounts while the stalker still has shared-login access.

the path

cyberstalking evidence arrives as platform exports, OSINT scrapes, and mobile location artifacts — not a single disk image. run steps 1–5 on harassment and identity data; steps 6–7 when location leak is alleged; step 8 when domains or credential traps appear in the campaign.

1. 1. ai chatbot multi-account correlation analyzer

   ChatGPT and Claude conversation exports (JSON). surfaces shared burner emails, device fingerprints, session IDs, and prompt themes that tie harassment drafts across platforms — the Ellis fixture links nightwatch.temp@guerrillamail.com across both exports.why first: stalkers now draft dox posts and impersonation scripts in AI chat before publishing. the burner email is often the earliest stable identifier — grab it before platform takedowns erase the upstream session.

2. 2. multi-source entity resolver

   reddit CSV, forum CSV, OSINT scrape text, and harassment activity logs. merges handles, emails, IPs, and display names into candidate identity clusters — e.g. Ryan Cole appearing in forum export B while anonymous posts share the burner domain pattern.why second: cyberstalking is multi-account by design. one handle per platform is a decoy. entity resolution gives you a working set of aliases before you build a graph or run stylometry.

3. 3. investigation knowledge graph builder

   normalized entity rows plus stalker activity CSV (user → host → IP edges). renders linked nodes for burner emails, forum personas, lookalike domains, and infrastructure hops — the Ellis pack includes a harassment activity log built for graph import.why third: once entities are resolved, you need to see the shape of the campaign — who touched which host, which IP served the dox archive, which alias posted where. flat spreadsheets hide the pivot points.

4. 4. osint normalizer

   raw OSINT scrape dumps (emails, phones, handles, IPs, domains in mixed formats). canonicalizes fields, deduplicates noise, and emits rows the resolver and graph tools can ingest without hand-editing.why fourth: investigators paste scrapes from five different sites with five different column names. normalizing early prevents false negatives when the same phone appears as +1-503-555-0142 in one dump and 5035550142 in another.

5. 5. natural language writing sample authorship comparator

   victim baseline text, stalker draft samples from AI exports, and anonymous forum posts. stylometric distance and shared phrase fingerprints — the Ellis fixture expects a match between saved Claude dox draft language and anonymous harassment posts.why fifth: shared burner email proves account reuse, not authorship. stylometry is supporting evidence that the person drafting in Claude is the same voice posting on the forum — run it after identity clusters exist so you compare the right samples.

6. 6. ios significant locations forensic extractor

   Cache.sqlite from iOS Significant Locations / Routined (backup extract). home, work, and gym clusters with visit counts and confidence — Ellis scenario includes a gym routine the stalker later referenced in harassment content.why sixth: location leak in cyberstalking is often inferential, not GPS spyware. significant locations show what the victim's phone learned about their routine; compare that to what the stalker claimed to know.

7. 7. android google timeline artifact forensic extractor

   google timeline semantic JSON plus timeline edits export. place visits, walking segments, and deletion events — Ellis fixture includes edits that remove visits near the victim's home cluster shortly before dox publication.why seventh: stalkers with account access sometimes scrub the victim's own timeline to hide that they were nearby. edit logs are persistent metadata separate from the map UI the victim sees.

8. 8. domain reputation analyzer

   lookalike and dox-host domain lists — m1crosoft-login.tk, ellis-dox-archive.top, and related typosquats. flags registration age, TLD risk, homoglyph patterns, and parking indicators for takedown packages.why last: domains are the exfil and phishing layer. once you know who and what was posted, domain reputation ties infrastructure to the campaign for registrar abuse reports and LE preservation letters.

common false leads

• different username on every platform means different people — burner workflows reuse one email across ChatGPT, Claude, and forum registrations. absence of a shared handle is not absence of a link.
• stylometry match equals courtroom identity — authorship tools produce supporting similarity scores, not legal proof. pair with account correlation and timeline, not alone.
• google timeline deletion was the victim cleaning up — edit logs show who removed visits and when. compare edit timestamps to harassment spikes and shared-account access.
• this is just online drama, not stalking — repeated dox drafts, lookalike login domains, and location knowledge tied to routine still belong in advocate and LE intake even when no stalkerware APK is present.
• run the stalkerware sweep path first — stalkerware-sweep covers covert phone monitoring; cyberstalking covers cross-platform identity, doxing, and OSINT-heavy campaigns. run both only if both threat models apply.
• AI chat exports are fiction or satire — harassers draft real dox text in AI sessions before posting elsewhere. the export is pre-publication intent evidence, not a creative writing exercise.
• domain reputation "clean" means safe — young .tk lookalikes can score neutral until reported. m1crosoft-login.tk is suspicious on spelling alone; reputation is one input for abuse tickets.

what we can tell you, what we can't

we can tell you:

• shared burner emails and device fingerprints across ChatGPT and Claude exports
• entity clusters from reddit, forum, and OSINT sources — aliases merged into candidate identities
• harassment campaign shape as a knowledge graph (users, hosts, IPs, domains)
• normalized OSINT rows ready for resolver and graph import
• stylometric similarity between AI draft text and anonymous posts (supporting, not definitive)
• iOS Significant Locations clusters (home, work, gym) from Cache.sqlite
• google timeline visits, walking segments, and deletion events from semantic + edits exports
• lookalike domain risk signals for registrar and platform abuse packages

we can't tell you:

• prove legal identity of an anonymous poster — that requires subpoenas, platform legal process, and counsel
• recover posts after platform deletion if you did not archive them — export first, analyze second
• guarantee authorship in court from stylometry alone — expert review and corroboration required
• covertly access the stalker's accounts or devices — these tools analyze exports the victim or LE legally holds
• decide whether the victim should contact police — advocate and safety-planning territory
• force domain takedowns — we flag risk; registrars and hosts act on abuse reports
• intercept live harassment in real time — preserve artifacts, analyze offline in the browser

handing it off

• DV advocate (often first): safety plan, whether to preserve or reset accounts, whether evidence sharing is safe now or should wait, documentation of consent.
• platform abuse (parallel): reddit, forum mods, OpenAI/Anthropic trust & safety, google account compromise reports — include post IDs, permalinks, burner email, domain list, and UTC timeline. save ticket confirmation numbers.
• law enforcement (with advocate guidance): archived posts, AI export JSON hashes, entity graph PDF, timeline edit logs, domain WHOIS captures — only when the survivor chooses to report. IC3 for interstate cyberstalking; local PD for threats of physical harm.
• domain registrar / hosting abuse: m1crosoft-login.tk and dox-archive domains — full URL, registration date, HTTP capture, victim statement. many lookalikes live on cheap TLDs with fast suspension paths if packaged cleanly.
• outside counsel: preservation memo (sha-256 of each export, chain of custody, tool output json/pdf), stylometry limitations spelled out, platform legal-process strategy for deanonymization.
• qualified mobile examiner: if the case pivots to device compromise (shared iCloud, MDM, stalkerware overlap) — full backup acquisition beyond what Significant Locations alone provides.

further reading

• EFF — surveillance self-defense
• Coalition Against Stalkerware
• US DOJ — cyberstalking and harassment overview
• FBI IC3 — complaint filing (internet-facilitated crimes)
• MITRE ATT&CK — gather victim identity information
• CISA — reporting scams and malicious domains

reference investigation