fatcousin
// first 10 minutes

stalkerware sweep (mobile) — quick-start

stalkerware sweep — first 10 minutes. safety before evidence. print this, check boxes, then run the primary tools.

checklist

  1. put the device in airplane mode — stops live exfil without tipping off every app.
  2. connect to a forensics workstation the abuser does not control.
  3. iOS: pull pairing records from the lockdown host. android: export installed packages + permission grants.
  4. photograph the accessibility services list and device admin screen — grant times matter.
  5. iOS: export significant locations if accessible. android: export usage stats if accessible.
  6. inventory installed apps — note hidden icons and sideloaded packages.
  7. do not remove the stalkerware yet unless survivor safety requires it.
  8. save all outputs locally with timestamps — do not sync to shared cloud accounts.
  9. decide with the survivor: preserve longer vs remove now.
  10. begin the primary tool path below.

primary tools

  1. 01apk analyzerdrop an android apk · permissions · activities · services · manifest · certificates · embedded urls · strings · no disassembly · runs locally
  2. 02android apk permissions auditordrop an .apk · parse AndroidManifest.xml · list all declared permissions · flag dangerous permissions · detect unusual API combinations · runs locally
  3. 03android anonymous messaging app artifact detectordrop Android packages.xml, usage stats, logcat, or filesystem listings · detect anonymous and untraceable messaging applications · surface usage evidence and residual artifacts · identify apps requiring no phone number or identity verification · assess anonymous communication footprint · runs locally
  4. 04android encrypted vault app artifact detectordrop Android packages.xml, filesystem listing, or usage stats · detect installed or deleted encrypted vault and secret hiding apps · surface vault app usage evidence · identify content types stored in vaults (from metadata) · detect vault apps designed to disguise themselves as other apps · runs locally
  5. 05android app cloner artifact forensic detectordrop Android packages.xml, filesystem listing, or logcat · detect app cloner framework installations · identify cloned app instances · surface dual-space and multi-account artifacts · detect usage of cloned messaging apps that may contain additional communication accounts · runs locally
  6. 06ios pairing record forensic analyzerdrop itunes lockdown pairing plist · parse device and host certificates · escrow bag detection · pairing age and trust implications · csv json export · runs locally
  7. 07ios jailbreak artifact detectordrop manifest db or path list · detect jailbreak indicators cydia sileo substrate · tool identification · removal hints · runs locally
  8. 08ios lockdown certificate artifact extractordrop pairing plist der or pem · decode x509 lockdown certs · chain validation · udid and host uuid · pem csv json export · runs locally

go deeper

methodology →proof · sarah-mobile-stalkerwarecase type tools →
ready