drop whonix-gateway disk image · parse tor configuration + system state
flags stream isolation disabled · custom hidden service dirs · clearnet leak configs · apt tor package events
heuristic screener · parses artifacts locally · no password cracking or live network · full disk images need pre-extracted config paths · not definitive proof