fatcousin
// first 10 minutes

journalist source protection — quick-start

journalist source protection — first 10 minutes. confidentiality before attribution. print this, check boxes, then run the primary tools.

checklist

  1. confirm scope with newsroom security and counsel — journalist device, source device, cloud accounts; approve whether source identity appears in logs.
  2. record UTC timestamps for publication, first suspicion, and any source contact change (new number, missed check-in, leaked off-record detail).
  3. issue legal hold on Google Workspace, personal Google, and newsroom SaaS — before token cleanup or password resets.
  4. export Google Account activity JSON for journalist and shared cloud accounts — read-only before remediation.
  5. pull OAuth grant lists from Google admin, Twitter/X, and mail integrations — consent timestamps and app names.
  6. if Signal is in scope: acquire iOS backup, android extract, or desktop profile copy counsel approves — hash sha-256 before analysis.
  7. file or escalate SIM-swap inquiry with carrier abuse if number re-registered or 2FA failed — preserve ICCID history.
  8. do not confront suspected actors, do not post publicly, do not revoke tokens until security signs off preservation order.
  9. segregate artifacts per source relationship when one journalist device holds multiple threads.
  10. begin the primary tool path below — on copies, not live accounts while compromise is still active.

primary tools

  1. 01ios signal artifact forensic extractordrop signal.sqlite · parse conversations and messages · disappearing timers · view-once flags · draft messages · registered phone · rowid gaps · runs locally
  2. 02android signal database forensic extractordrop Android Signal database files (signal.db or backup files) · parse conversations, messages, and attachment metadata · extract disappearing message settings, contact identifiers, and draft messages · surface registered phone number from database · detect deleted message gaps · runs locally
  3. 03signal desktop artifact forensic extractordrop signal desktop %APPDATA%Signal · parse encrypted leveldb config + sql.sqlite (key-derived) · surface conversation + attachment metadata · runs locally
  4. 04sim swap artifact forensic detectordetect evidence of SIM swapping across devices, carriers, or subscriber records · runs locally
  5. 05google account activity export forensic deep analyzerdrop google takeout 'my activity' html/json · parse per-product activity timeline · flag credential recovery access events · csv/json export · runs locally
  6. 06casb oauth token abuse detectordrop casb oauth grant export · detect excessive scope grants · runs locally
  7. 07google takeout archive forensic parserdrop google takeout zip or individual takeout json csv html files · parse account activity across all google services · reconstruct location history search history youtube watch history gmail metadata and drive activity · surface forensic timeline across all google products · runs locally

go deeper

methodology →case type tools →
ready