fatcousin
// investigation guide · youth-online-safety

minor online coercion · youth safety — methodology

online child safety incidents leave a forensic residue. a grooming campaign has message-delivery timestamps, platform artifacts, and account-age indicators. sextortion has file receipt records, payment-request metadata, and threat-message chains. doxxing has a broker-propagation sequence. swatting has a call-origin trail. none of this requires viewing prohibited content. none of this requires access the survivor has not consented to give. the examiner's job: build a timeline from artifacts that already exist — on the device, in the account export, in the platform log — so the legal package is honest and complete. this page is for after the incident: a parent whose child came to them, a SANE nurse assembling a CyberTipline package, a guardian-ad-litem who needs more than a screenshot, and the teenager themselves — who wants to understand what happened and what can be documented, on their own terms first. every tool runs locally. no file leaves the device. no upload, no account. start with evidence manifest and custody child safety device audit on consented exports. this is not district K–12 monitor IR and not covert parental surveillance.

what this page is not

  • not a guide for parents to monitor a child's ongoing communications without the child's knowledge — that is the abuser's playbook, not the examiner's.
  • not a CSAM viewer — fatcousin does not display, analyze, or accept prohibited content. if that material is on a device, report to NCMEC CyberTipline (1-800-843-5678) and law enforcement first.
  • not real-time surveillance — no live intercept, no covert device monitoring, no tools that run without a consent and custodial framework advocates or counsel approve.
  • not a substitute for mandatory-reporter legal advice — district, state, and tribal reporting rules vary.

operational security

before running any of these tools: use a device the predator does not have access to. screenshots and screen recordings on a shared family device may sync to a shared cloud account. a private browser window on the survivor's own device is not sufficient if the device is monitored or if Apple or Google accounts are shared with the person who caused the harm. these tools run entirely in the browser. no file leaves the device — open devtools, watch the network tab, drop a file. if the survivor needs human help before evidence preservation: 988 · NCMEC CyberTipline: 1-800-843-5678 · local law enforcement for immediate safety threats. forensic documentation follows safety planning — not the other way around.

trusted organizations

  • NCMEC CyberTiplinemandated reporting path for suspected CSAM. fatcousin does not analyze or accept prohibited content — this is the legally correct first step when that material is present.
  • 988 Suicide and Crisis Lifelinecrisis support by call, text, or chat — not limited to suicide.
  • Crisis Text Linetext HOME to 741741 when audible calls are not safe.
  • RAINNsurvivor support and referral — includes paths for minor survivors and parents.

the first 10 minutes

  1. confirm the survivor consents to documentation and knows who will receive outputs.
  2. if prohibited content is visible on the device: NCMEC CyberTipline 1-800-843-5678 first — not a browser parser.
  3. use a machine the predator cannot access — not the survivor's monitored phone or a shared family computer.
  4. hash every export with evidence-manifest-generator before opening threads.
  5. preserve message-delivery metadata and account exports — do not re-screenshot on a synced device.
  6. run custody-child-safety-device-audit-kit on a consented device backup when counsel or guardian approves scope.
  7. correlate screen-time and family-sharing artifacts only when custodial framework is documented.
  8. imminent danger → 988 or local law enforcement — documentation can wait.

the path

safety plan → hash exports → consented device triage → screen-time / family-sharing correlation → messaging deletion artifacts → bundle for counsel or CyberTipline-adjacent handoff. parental-control parsers (bark home, qustodio, family link exports) are on the atlas BUILD backlog — this path uses tools on disk today.

  1. 1. evidence manifest generator

    sha-256 inventory of every export, screenshot file, and account dump before analysis or handoff to counsel.why first: minor cases cross advocates, parents, and law enforcement — hash before anyone emails a zip.

  2. 2. custody child safety device audit kit

    structured pass on a consented minor-device backup — installed apps, location surfaces, messaging deletion patterns, screen-time spikes.why second: baseline triage when the question is what the device shows after disclosure, not a full stalkerware hunt.

  3. 3. ios screen time analyzer

    knowledgeC / screen time plists from backup — app usage spikes, downtime overrides, and late-night session clusters.why third: coercion often shows as usage pattern changes before message bodies are preserved.

  4. 4. ios screen time family sharing correlation detector

    family sharing linkage rows — who can see usage, which apple ids share a child account, and when controls changed.why fourth: shared family apple ids are a common tracking vector — map sharing before reading chat exports.

  5. 5. mobile screen time parser

    android digital wellbeing / screen time exports when the minor device is not ios-only.why fifth: android family link and wellbeing dumps are a separate schema from ios screen time.

  6. 6. ios backup browser

    browse encrypted backup manifest for messaging, location, and account plists after consent scope is set.why sixth: many minors are ios-first — locate artifacts before deep parsers.

  7. 7. ios imessage deletion artifact detector

    sms.db tombstones and rowid gaps when the survivor deleted threads under pressure.why seventh: deletion metadata often survives panic deletes — documents coercion timing without displaying bodies in tickets.

  8. 8. case report generator

    bundle hashed exports and finding summaries into a pdf timeline for counsel or CyberTipline-adjacent packages.why last: one readable package for advocates who were not in the export pull.

common false leads

  • treating this as adult sextortion without minor-consent framing — payment tracing alone misses family-sharing and school-adjacent context.
  • running stalkerware sweep before consent triage — wrong order can alarm the survivor and complicate chain-of-custody narrative.
  • using school cyberbullying monitor exports for a home-only incident — FERPA district packs are a different authorization model.
  • assuming a screenshot proves timeline — hash the file and pull platform export metadata when available.

what we can tell you, what we can't

we can tell you:

  • sha-256 manifest for every export in the advocate packet
  • screen-time and family-sharing correlation on consented ios backups
  • imessage deletion tombstones and rowid gaps after panic deletes
  • local pdf case report from hashed exports

we can't tell you:

  • whether a specific adult committed a crime — that requires qualified review and jurisdiction
  • analyze or render prohibited content — report to NCMEC first
  • upload minor data to fatcousin servers — processing is browser-local only
  • guarantee admissibility in court without counsel and qualified digital forensics review

handing it off

  • counsel / guardian-ad-litem: evidence manifest + case report pdf + finding exports without re-sharing unhashed zips over email.
  • NCMEC / law enforcement (when referred): CyberTipline report for prohibited content — hashed exports for metadata timelines only when counsel directs.
  • clinical / advocate staff: safety planning before deep device pulls — this page documents artifacts, not therapy responses.

case type: minor online coercion · compare: case-type pairs → · related: adult sextortion · mobile triage

ready