fatcousin-native files.
share a file, not a platform.
six naming conventions, five jobs: investigation records, reusable pipelines, stackable output, signing trust, and proof packs. everything is generated and verified on your device — nothing uploads.
1. three tiers — don't mix them up
- investigation — .fc-case holds what you did on a matter: runs, findings, notes, custody log, optional embedded bytes. treat it like privileged work product.
- workspace — .fc-stack and .fc-kit hold how you like to work: tool pipelines and optional favorites. safe to share with a teammate for SOP handoff — no case data inside.
- pipeline output — .fc-artifact is the structured JSON envelope stackable tools emit so the next step in a chain can consume findings without bespoke parsers.
.fc-case is not a substitute for .fc-kit, and vice versa. if you only need to pass a BEC triage pipeline to a colleague, send a .fc-stack or .fc-kit. if you need counsel to review what you analyzed, send a .fc-case (and see /forensics/verify).
2. native formats (reference)
.fc-case · investigation record · zip archive
analysis-phase session archive — runs, custody log, notes, optional embedded bytes
- manifest.json — full CaseSession (runs, findings, notes, custody events)
- manifest.sha256 — sha256sum sidecar over manifest.json bytes
- README.md — human-readable explainer (auto-generated)
- signature.json — optional Ed25519 over custody log + manifest (device key)
- timestamp.json — optional RFC 3161 token over manifest.sha256 (opt-in network)
- attachments/<sha256> — optional raw input bytes the investigator chose to embed
- export — /forensics/sessions — .fc-case or export package ↓
- import — /forensics/sessions — drag-drop import with preview
- signing — optional Ed25519 (browser-generated key); verified on import + offline CLI
- custody — yes — append-only analysis-phase custody log; not collection-stage CoC software
- share — hand the zip to counsel, opposing expert, or a colleague — verify locally; never uploads
.fc-stack · workspace / config · json file
one saved tool pipeline — ordered slugs + per-step options (~1–3 KB)
- schemaVersion + kind: stack
- name — pipeline label
- steps[] — { slug, options } only (no device ids)
- meta — exportedAt, siteUrl (informational)
- export — /stack/[id] runner or editor — export .fc-stack ↓
- import — /stack/share or homepage drop — confirm dialog · optional rename
- signing — none — configuration only, not evidence
- custody — no — no runs, hashes, or privileged notes
- share — email, slack, wiki, usb — colleague imports and gets a new local stack id
.fc-kit · workspace / config · json file
workspace bundle — multiple stacks plus optional favorite tools and stack pins
- schemaVersion + kind: kit
- name — kit label
- stacks[] — same shape as .fc-stack entries
- favoriteTools[] — optional ordered tool slugs
- pinStackIndices[] — optional indices into stacks[] to favorite on import
- export — /stack/share — export .fc-kit ↓ (with include-favorites options)
- import — /stack/share — import card · confirm dialog · pick stacks from a kit
- signing — none
- custody — no
- share — team SOP handoff — pipelines + bookmarks without sharing an investigation record
.fc-artifact · pipeline output · json file
canonical envelope for stackable tool output — chains between pipeline steps
- kind: "fc-artifact"
- artifact — slug or class (e.g. ioc-bundle, evidence-manifest)
- version, createdAt, source[] — input filenames
- …payload — tool-specific structured fields
- export — stack runner / stackable tools — download between steps
- import — next stackable step input (in-browser pipeline only)
- signing — none
- custody — no — derived triage output; hash-anchoring lives in .fc-case when captured
- share — usually stays in-memory between stack steps; save manually if you need a file
.fc-key · signing / verification · json file
Ed25519 signing key sidecar — public key for verifiers, or private backup for restore
- kind: "signing-key-public" or "signing-key-private"
- keyId — short prefix of public key hex
- publicKeyHex + publicKeyJwk — always present
- privateKeyJwk — private backups only (never share)
- export — /formats or /forensics/sessions — export public or private .fc-key ↓
- import — /formats — inspect public keys; restore private backups on same device
- signing — public .fc-key is what verifiers trust; private .fc-key signs exports
- custody — no — identity material, not evidence
- share — email public .fc-key to counsel once; keep private .fc-key offline like a safe key
.fc-fixture · proof / training lab · zip archive
portable proof/training pack — synthetic evidence + MANIFEST.sha256 + scenario manifest
- manifest.json — kind: fixture, scenarioSlug, caseTypeSlug, title, seed
- MANIFEST.sha256 — sha256sum sidecar over evidence/ files
- evidence/* — synthetic bytes (same as /forensics/proof downloads)
- README.md — optional human explainer
- export — /formats — download .fc-fixture ↓ per scenario
- import — /formats — drag-drop verify; link through to /forensics/proof/<slug>
- signing — none — committed hashes are the integrity anchor
- custody — no — fictional training data only
- share — hand a lab pack to a trainee or opposing expert for reproducible replay — never uploads
3. export / verify hub
export or verify .fc-key and .fc-fixture files here. stack and kit import lives at /stack/share; session archives at /forensics/sessions.
.fc-key — signing keys
public keys help verifiers trust signed .fc-case exports. private backups restore your device identity — never email them.
.fc-fixture — proof packs
synthetic training evidence with committed SHA-256 manifest — same bytes as /forensics/proof.
drop a .fc-fixture to verify
checks manifest.json + MANIFEST.sha256 against evidence/
4. session companions (not .fc-* native)
the session manager also emits standard industry files and printable reports derived from a case session. they are not fatcousin-native extensions — but investigators often file them next to a .fc-case:
- <case>-reproducibility.md — markdown reproducibility report — runs, versions, sha-256 digests. companion to .fc-case; cite /forensics/cite for templates
- <case>-exhibit-report.html — printable HTML exhibit — tool table, custody summary, embedded hash. save as PDF via browser print
- <case>-examiner-declaration.txt — FRE 901/902-shaped declaration draft listing captured runs. counsel review required — template not legal advice
- <case>-findings.csv · -axiom.csv · -stix21.json · -misp.json — interop exports for SIEM, AXIOM, STIX, MISP. industry formats — each carries analysis-phase custody references back to the source .fc-case
citation templates: /forensics/cite. verification ritual: /forensics/verify.
5. quick links
- /forensics/sessions — export / import .fc-case
- /stack/share — export / import .fc-stack and .fc-kit
- /stack/guide — how pipelines work
- /forensics/whitepaper — custody + interop exports in depth
6. what we might add (and what we won't)
fatcousin adds a new .fc-* extension only when it carries a distinct job that existing formats cannot. current thinking:
- .fc-preset — skip: curated case-type stack blueprints — already shippable as .fc-stack or bundled in .fc-kit; a fourth extension adds naming noise.
- .fc-favorites — skip: standalone favorites-only file — .fc-kit optional favoriteTools[] covers team bookmark handoff; splitting would duplicate .fc-kit.
- .fc-sync (or any cloud sync blob) — skip: conflicts with local-first architecture — no accounts, no server-side state, no background sync. file handoff is intentional.
if you need something that looks like cloud sync, accounts, or a central case repository — that is explicitly out of scope. the manifesto contract still applies: local-first, no upload.