journalist source protection — methodology

confidentiality and preservation — before any of the path

source-protection work sits inside press-freedom, legal privilege, and physical safety constraints — not routine IT ticketing. if you are supporting a newsroom or a journalist, start with source-handling counsel and security lead intake before bulk-exporting devices. this guide documents evidence preservation only; it is not legal advice, editorial policy, or law-enforcement liaison. this case type is distinct from whistleblower retaliation methodology: the frame is journalist ↔ source, not employee ↔ ethics hotline.

1. does the source still need anonymity? every export, ticket, and vendor legal request can create discoverable records — counsel should approve scope before you pull takeout or carrier logs.
2. will requesting Google activity, running takeout, or filing a SIM-swap inquiry notify the account holder or trigger security emails visible to a compromised session? work from clean workstations and accounts the suspected actor does not control.
3. is the goal to rule out compromise, support a legal hold, or respond to a source who stopped responding? each path has different retention and disclosure risk — newsroom security should choose order, not a well-meaning engineer with backup access.
4. preserve without tipping off. do not re-register Signal, reset passwords, or revoke OAuth tokens on live accounts until counsel and security agree — premature resets destroy session evidence and can alert the intruder.
5. document consent and chain of custody. note who pulled each export, from which device or account, and UTC timestamps. journalist devices often hold multiple sources — segregate artifacts per source relationship when possible.
6. minimize source-identifying data in shared tickets. use reporter tokens or case ids in filenames; redact source phone numbers from abuse packages unless counsel requires full identifiers.
7. if the source is at physical risk: safety reset (new number, new Signal identity) may be correct even when it destroys some forensic evidence. respect that call over completeness of the artifact set.

what evidence exists and how fast it dies

the first 10 minutes

1. confirm scope with newsroom security and counsel — who is in scope (journalist device, source device, cloud accounts), and whether source identity can appear in logs.
2. record UTC timestamps for story publication, first suspicion of compromise, and any source contact that changed behavior (new number, missed check-in, unexpected knowledge of off-record details).
3. issue a legal hold on relevant Google Workspace / personal Google accounts and newsroom SaaS — before routine token cleanup or password resets.
4. export Google Account activity JSON for journalist and shared cloud accounts — save read-only before any remediation.
5. pull OAuth grant lists from Google admin console and any connected Twitter/X or mail integrations — note consent timestamps and app names.
6. if Signal is in scope: acquire iOS backup, android extract, or desktop profile copy from devices counsel approves — hash every file sha-256 before analysis.
7. file or escalate SIM-swap inquiry with carrier abuse / law-enforcement channel if the number re-registered or 2FA failed unexpectedly — preserve ICCID history if already in hand.
8. do not confront suspected actors, do not post about the investigation publicly, do not revoke tokens until security signs off on preservation order.
9. segregate artifacts per source relationship when one journalist device holds multiple sensitive threads.
10. begin the path below on copies — not on live accounts while compromise is still active.

the path

source-protection evidence spans mobile Signal artifacts, telco port records, and Google cloud exports — not a single disk image. run steps 1–3 on every platform in scope; step 4 when number hijack is suspected; steps 5–6 on cloud accounts; step 7 as the bulk preservation pass after point-in-time analysis.

1. 1. ios signal artifact forensic extractor

   Signal sqlite and plist artifacts from an iOS backup extract — session state, registration ids, disappearing-message residue, and attachment metadata. the journalist or source iPhone is often the first device in scope when a sensitive story breaks.why first: Signal is the default channel for high-risk source handling. iOS backup artifacts survive app reinstalls longer than live UI state — pull them before the device is wiped or replaced.

2. 2. android signal database forensic extractor

   Signal database and shared-prefs from android backup or adb extract. parses thread ids, message timestamps, identity keys, and session metadata — many sources run Signal on android while the journalist uses iOS.why second: cross-platform source relationships mean you need both mobile parsers. android db paths differ entirely from iOS — do not assume one export covers the conversation pair.

3. 3. signal desktop artifact forensic extractor

   Signal Desktop config, sql logs, and encrypted attachment folders from macOS or Windows user profile. surfaces linked-device registration, sync timestamps, and desktop-side message residue the phone export may omit.why third: newsroom workflows often pair phone Signal with desktop linked devices. compromise or shoulder-surf on the laptop is a separate attack path from the phone — desktop artifacts close that gap.

4. 4. sim swap artifact forensic detector

   carrier account change exports, ICCID swap rows, and SMS-forwarding indicators from telco abuse tickets or google account recovery activity. flags number-port events that precede Signal re-registration or 2FA bypass.why fourth: SIM swap is the classic path to hijack a journalist or source number and re-register Signal elsewhere. run this after messaging artifacts so you know which number and registration window to anchor.

5. 5. google account activity export forensic deep analyzer

   Google Account activity JSON / My Activity export — sign-ins, security events, device additions, recovery email changes, and location-tagged sessions. both journalists and sources often rely on Gmail or Google Drive for draft sharing.why fifth: account activity is the cloud-side mirror of device compromise. new recovery phone, unfamiliar IP, or bulk Drive download the night before publication belongs in the same timeline as Signal re-registration.

6. 6. casb oauth token abuse detector

   OAuth grant exports from Google Workspace, Twitter/X, or newsroom SaaS — third-party app tokens, overprivileged scopes, and consent timestamps tied to journalist accounts. surfaces rogue mail or drive readers installed under cover of a productivity app.why sixth: state actors and private investigators often prefer OAuth persistence over password phishing — one consent grant reads mail and drive without repeated login alerts. scope abuse is quieter than SIM swap but equally damaging to source confidentiality.

7. 7. google takeout archive forensic parser

   Google Takeout zip — Mail, Drive, Calendar, and Account metadata in one bundle. indexes file paths, message counts, and export timestamps for cross-check against activity export and OAuth grant windows.why last: takeout is the bulk preservation pass counsel and newsroom security ask for after the story drops. parse it after point-in-time activity and OAuth analysis so you know which folders and threads matter before wading through gigabytes.

cross-correlation

after the path, drop every csv/json export into fatcousin-multi-tool-super-timeline-correlator. one timestamp-sorted view across Signal re-registration, SIM swap, Google sign-in, and OAuth consent — the minute a linked device appears should sit next to the carrier port row, not in separate tabs. then run shared grant ids, session hashes, and ICCID strings through fatcousin-cross-export-ioc-hash-correlator to catch the same identifier in activity export and OAuth grant list before counsel packages the handoff. still zero upload.

common false leads

• this is whistleblower retaliation because someone reported wrongdoing — employee ethics hotline exports (Navex, HR Acuity, HRSD) belong in whistleblower retaliation, not here. press sources are not corporate ethics reporters.
• Signal safety number change means compromise — registration changes happen on legitimate new devices. anchor on SIM swap timing, unfamiliar linked devices, and concurrent Google session anomalies.
• source stopped responding because of compromise — burnout, legal advice, or story delay are equally common. artifact analysis rules in or out takeover; it does not replace checking in through an agreed out-of-band channel.
• google takeout size equals exfil volume — takeout is a user-initiated export format. compare takeout timestamps to activity export and OAuth grants; a large takeout alone is not proof of third-party theft.
• only the journalist account matters — sources often use personal Gmail or android Signal. investigate both ends of the relationship when confidentiality broke after publication.
• revoke all OAuth tokens first — premature revocation destroys session metadata and may alert the intruder. preserve grants and activity exports, then remediate under counsel direction.

what we can tell you, what we can't

we can tell you:

• Signal artifact timelines from iOS backup, android database, and desktop linked-device exports
• SIM swap and ICCID change indicators from carrier-style artifact rows
• Google account sign-in, security event, and device-addition patterns from activity exports
• overprivileged or suspicious OAuth grant scopes and consent timestamps
• takeout archive structure and cross-folder indexing for bulk mail and drive preservation
• whether cloud and messaging metadata supports an account-compromise hypothesis on a timeline

we can't tell you:

• decrypt Signal message plaintext without keys and lawful access — these tools analyze metadata and residue
• identify an anonymous source from artifacts alone — that requires journalistic process and legal protection
• prove state-sponsored attribution — artifact patterns suggest compromise; attribution is counsel and intel territory
• live platform state — we analyze exports you provide, not vendor APIs or carrier portals
• whether to publish, kill, or delay a story — editorial and legal decision, not forensic output
• force carrier or Google legal process — we flag indicators; subpoenas and preservation letters are counsel's job

handing it off

• newsroom security / IT: activity export hashes, OAuth grant inventory, Signal registration timeline, recommended containment order (what to revoke, what to preserve first).
• source-handling counsel: chain-of-custody memo, scope of devices analyzed, whether source identity appeared in logs, legal-hold recommendations for cloud and CMS systems.
• platform abuse (parallel): Google account compromise report, OAuth rogue-app disclosure, Twitter/X unauthorized access — include UTC timeline and grant ids; save ticket confirmation numbers.
• carrier / telco abuse: SIM swap or port-out inquiry with ICCID history, number, and incident window — often requires law-enforcement or counsel letter; do not cold-call support from a journalist personal account if opsec is sensitive.
• outside forensic / ediscovery: full device images, encrypted Signal backups, and extended takeout under legal hold — tool outputs as json/csv attachments with sha-256 manifest.
• law enforcement (only with counsel): when source or journalist physical safety is at risk — packaged timeline, not raw source-identifying exports beyond what counsel approves.

further reading

• Committee to Protect Journalists — safety resources
• Freedom of the Press Foundation — digital security training
• EFF — surveillance self-defense
• CISA — protecting journalists and news organizations from cyber threats

reference investigation