walsh-lost-stolen-device — post-recovery device triage
Emma Walsh lost an iPhone 15 and Pixel 7 at the airport; police returned them from a finder who paired the iPhone and authorized ADB on the Pixel. Find My remote wipe, Android factory reset logs, post-return app uninstall burst, and overlapping cloud logons from owner vs finder IP space. Fully synthetic.
what this proves
- every primary engine produces deterministic, fixture-locked output — verified by
npm run check:flagship(280/280 fleet · 8 for this scenario). - every output is generated 100% locally in your browser — pairing plists, adb keys, and cloud logon csv never upload.
- finder pairing trust, Find My remote wipe vs local factory reset, post-return uninstall burst, and overlapping cloud logons from owner vs finder IP space surface without sending a recovered handset to a server.
primary engines locked to this fixture
- ios-pairing-record-forensic-analyzer
- mobile-device-pairing-record-analyzer
- ios-jailbreak-artifact-detector
- mobile-factory-reset-evidence-artifact-detector
- mobile-remote-wipe-artifact-detector
- android-factory-reset-artifact-detector
- ios-app-install-uninstall-timeline-reconstructor
- login-session-reconstructor
build the case binder
runs all eight primary engines on the synthetic evidence zip and opens a self-contained html binder. uses the default binder renderer for lost device triage — no upload.
runs all 8 primary engines locally on the synthetic evidence zip · opens a self-contained html binder · no upload
download the synthetic evidence
MIT-licensed, fully synthetic. includes finder pairing plist, adb authorized keys, jailbreak path inventory, Find My remote wipe marker, android factory reset logs, MobileInstallation uninstall burst, and overlapping cloud logon csv.
built deterministically from scripts/fixtures/build-walsh-lost-stolen-device.mjs. seed: walsh-lost-stolen-device:v1.
methodology
post-custody triage is pairing first. walk ios pairing → mobile pairing normalize → jailbreak screen → factory reset markers → remote wipe vs local reset → android factory reset → uninstall timeline → cloud logons last. read the full lost or stolen device guide →
after the playbook
run each primary locally — or export findings from the binder — then drop every csv/json into fatcousin-multi-tool-super-timeline-correlator. one timestamp-sorted timeline across finder pairing trust, Find My remote wipe, factory reset markers, uninstall burst, and overlapping cloud logons — still zero upload.