fatcousin
// investigation guide

romance scam - methodology

romance scam is not generic spam. it is a staged relationship: a dating-app introduction, a pivot to encrypted chat, a manufactured crisis, and repeated p2p sends that favor speed over traceability. evidence lives on the phone (dating artifacts, whatsapp and telegram databases, cash app and venmo caches) and in the images the actor uses to sell the persona — ai-generated portraits are common. recovery is rarely technical; your job is a defensible timeline, consistent identifiers across apps, and payment metadata that law enforcement and platforms can act on. the reference arc here is natalie foster: a bumble match, whatsapp and telegram grooming, a fake military identity, about eleven thousand dollars moved through venmo and cash app, and a military profile png whose parameters point to automatic1111-style generation (foster-romance-scam:v1).

what evidence exists and how fast it dies

artifactvolatilitytime to loss
dating-app local state (matches, threads, media)persistent on devicegone on account deletion or app reinstall without backup
whatsapp msgstore / ios chat storagepersistentoverwritten if victim resets app or restores without the same backup
telegram local caches and dbsmixedsecret-chat content may never hit cloud; cache eviction is days to weeks
venmo and cash app transaction history on devicepersistent (rolling)longer retention at the platform; subpoena latency still matters
profile and sent images (exif, png text chunks, a1111 params)persistentstripped on re-encode or aggressive chat compression
victim memory of urls and handlesvolatilehours; write it down before the next panic message

the first 10 minutes

  1. stop sending money. document that instruction for the victim; further sends destroy clarity.
  2. record every handle: dating profile name, whatsapp number, telegram @, cashtag, venmo username.
  3. screenshot in-app payment receipts with utc-visible device clock; then prefer filesystem extracts.
  4. take a full encrypted backup before any carrier reset or “clean up” advice.
  5. preserve the dating-app match screen and the first off-platform message that references the pivot.
  6. export or image-capture the military or travel photos before the actor deletes chat sides.
  7. note any “verification” links or apk/ipa instructions; do not install unknown profiles on an evidence phone.
  8. list installed messaging and payment apps; romance kits often cluster the same six titles.
  9. write a one-page chronology: first contact, first i love you, first money ask, each transfer amount.
  10. begin the path below on a copy of the backup, not the live handset if you can avoid it.

the path

  1. 1. ios dating app artifact forensic extractor

    iphone backup or app sandbox export. surfaces match metadata, intro thread timestamps, and profile-linked media paths from the dating layer.why first: the scam almost always starts on-platform. you anchor identity claims and first contact before cross-app pivots blur the story.

  2. 2. ios whatsapp artifact forensic extractor

    whatsapp plist, chat storage, and media indices from ios backup. recovers conversation ordering and attachment filenames without guessing paths.why second: groomers push victims off the dating app fast. whatsapp is the common soft landing; extract it while paths are still coherent.

  3. 3. android whatsapp database forensic analyzer

    msgstore.db and related wal/shm from android. parses message bodies, group vs dm context, and quoted-reply chains for payment pressure events.why third: many victims are on android. same narrative arc, different storage; you need parity with the ios pass so nothing is missed.

  4. 4. ios telegram artifact forensic extractor

    telegram container artifacts from ios. identifies secret chats vs cloud threads, media caches, and export-adjacent sqlite where present.why fourth: actors migrate to telegram for opaque threads and file drops. treat it as a separate evidence plane from whatsapp.

  5. 5. android telegram database forensic analyzer

    telegram tdata-adjacent sql or export bundles on android. correlates usernames, local message ids, and forwarded military-doc myths.why fifth: cross-platform victims split the story. mirroring ios telegram work on android closes gap analysis for investigators.

  6. 6. ios cash app artifact forensic extractor

    cash app plist and local payment indices. extracts cashtags, transfer notes, and recipient handles tied to the grooming timeline.why sixth: p2p apps are how urgent money leaves the phone. cash app often appears before or beside venmo in the same pressure window.

  7. 7. ios venmo artifact forensic extractor

    venmo transaction cache and friend graph hints from ios backup. links public notes, split requests, and counterparty display names.why seventh: venmo leaves a parallel payment trail. pair with cash app to show pattern, not a one-off gift.

  8. 8. ai generated image provenance analyzer

    profile or sent png/jpeg with stable diffusion / a1111 style metadata. scores generator cues and parameter leakage in file tail.why last: fake military personas lean on polished portraits. provenance work turns a sympathy photo into a technical inconsistency for the package.

common false leads

  • the actor’s photo passes reverse image search. synthetic or private-set portraits often do not hit stock sites.
  • “military” uniforms and ids look official. uniform shots are trivial to stage; correlate payment behavior, not medals.
  • only one chat app matters. groomers layer whatsapp and telegram to separate family-safe talk from money pressure.
  • small test sends mean low risk. they are calibration payments; the eleven-thousand-dollar pattern still matters.
  • the victim is embarrassed so the case is weak. shame is orthogonal; timestamped p2p metadata is not.

what we can tell you, what we can't

we can tell you:

  • structured extraction from ios dating, whatsapp, telegram, cash app, and venmo artifacts you already hold
  • android whatsapp and telegram database parsing for message and attachment context
  • ai-generated image signals when parameters or generator metadata survive in the file
  • a repeatable local workflow that mirrors the case-type primary tool order

we can't tell you:

  • recover sent funds from venmo, cash app, or banks. only platforms and law enforcement can.
  • unmask a real name from a cashtag alone without your own intelligence or legal process.
  • prove criminal intent or win a court case. that is counsel and fact-finder territory.
  • guarantee secret-chat content exists on disk; some material never lands where parsers can see it.

handing it off

  • IC3 / local law enforcement: timeline pdf, p2p transaction ids, counterparty handles, chat excerpts with utc, and the provenance note on suspect images.
  • payment platform trust and safety: cashtag, venmo username, device-linked account emails, amount and date of each send.
  • victim services / counsel: preservation log for backups, chain of custody for phone images, and a list of what was not extracted.

further reading

reference investigation

synthetic fixture foster-romance-scam: natalie foster bumble match, whatsapp and telegram grooming arc, fake military persona, venmo and cash app payments totaling about eleven thousand dollars, and an a1111-parameter military profile png. seed foster-romance-scam:v1. compare output via npm run check:flagship.

fixture download: evidence zip · proof page: /forensics/proof/foster-romance-scam · case playbook: case type tools

run the romance scam kitforensics home
ready