Comprehensive Forensic Analysis

The quick-check, shutdown-log, and logcat endpoints each look at a single artifact. Full analysis correlates several artifacts from the same device into one investigation — combining shutdown-log and logcat evidence with deeper iOS backup, data-usage, and sysdiagnose analysis to produce a single infection verdict, anomaly list, and timeline.

POST/api/v1/forensics/full-analysis

Run a comprehensive, multi-artifact forensic analysis for a single device

Authentication:Bearer Token

Parameter	Type	Required	Description
`device_id`	string	Optional	Identifier for the device being investigated.
`platform`	string	Optional	The device platform: ios or android.
`shutdown_log`	string	Optional	Plain-text iOS shutdown.log contents to include in the analysis.
`logcat_data`	string	Optional	Plain-text Android logcat contents to include in the analysis.
`backup_path`	string	Optional	Server-side path to an extracted iOS backup. Service-only — clients upload via /forensics/ios/backup/upload instead.
`data_usage_path`	string	Optional	Server-side path to a DataUsage.sqlite database. Service-only.
`sysdiagnose_path`	string	Optional	Server-side path to a sysdiagnose archive. Service-only — clients upload via /forensics/ios/sysdiagnose/upload instead.
`include_timeline`	boolean	Optional	When true, the response includes a chronological event timeline.

Inline Data Is Open; Paths Are Service-Only

The inline text fields shutdown_log and logcat_data are open to all clients — pass the log contents directly. The *_path fields reference files on the OrbGuard server filesystem, so they are restricted to service-to-service callers; a client that sets any *_path field receives 403. To include a backup, sysdiagnose, or bugreport from a real device, upload it with the multipart endpoints documented below and OrbGuard handles the rest.

curl -X POST https://guard.orbai.world/api/v1/forensics/full-analysis \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d "$(jq -n \
    --arg dev 'iphone-14-pro-abc123' \
    --rawfile log /path/to/shutdown.log \
    '{device_id:$dev, platform:"ios", shutdown_log:$log, include_timeline:true}')"

200Full forensic analysis complete (same ForensicResult shape as the single-artifact endpoints)

{
  "id": "scan_full_9a8b7c6d5e4f",
  "device_id": "iphone-14-pro-abc123",
  "platform": "ios",
  "scan_type": "full_analysis",
  "total_anomalies": 3,
  "critical_count": 2,
  "high_count": 1,
  "medium_count": 0,
  "low_count": 0,
  "infection_likelihood": 0.91,
  "detected_threats": [
    { "name": "Pegasus", "type": "pegasus", "confidence": 0.91 }
  ],
  "timeline": [
    {
      "timestamp": "2026-01-15T03:22:14Z",
      "event": "Pegasus processes detected across shutdown log",
      "severity": "critical"
    }
  ],
  "recommendations": [
    "Isolate the device from all networks immediately.",
    "Preserve the device for forensic investigation — do not factory reset.",
    "Enable Lockdown Mode (iOS 16+) and rotate all credentials from a clean device."
  ]
}

403A server-side path field was set by a non-service caller

{
  "error": "path-based analysis references server-side files and is service-only; upload artifacts to the /api/v1/forensics/.../upload endpoints instead"
}

Uploading Device Artifacts

For artifacts that live as files on a real device — iOS backups, sysdiagnose archives, and Android bugreports — use the multipart upload endpoints. Each accepts the artifact as a file form field plus an optional device_id field, streams it to a temporary location server-side, runs the matching parser, and deletes the temporary files afterward. Every upload returns the same ForensicResult shape as the analysis endpoints above.

Upload Limits

Large archives (iOS backups, sysdiagnose) are accepted up to ~500 MB. Small text artifacts (shutdown.log, logcat) are capped at ~10 MB. Set your HTTP client timeout to at least 120 seconds for large uploads.

Artifact	Endpoint	Accepts	Notes
iOS shutdown log	`POST /forensics/ios/shutdown-log/upload`	`.log` / `.txt`	See iOS Shutdown Log
iOS backup	`POST /forensics/ios/backup/upload`	`.zip`	Archive is extracted and scanned server-side
iOS sysdiagnose	`POST /forensics/ios/sysdiagnose/upload`	`.tar.gz` / `.tgz` / `.zip`	Deepest iOS analysis
Android logcat	`POST /forensics/android/logcat/upload`	`.txt` / `.log`	See Android Logcat
Android bugreport	`POST /forensics/android/bugreport/upload`	`.zip` (from `adb bugreport`) or `.txt`	Bugreport text is extracted from the archive

Upload an iOS Sysdiagnose Archive

POST/api/v1/forensics/ios/sysdiagnose/upload

Upload a sysdiagnose archive for deep iOS spyware analysis

Authentication:Bearer Token

Parameter	Type	Required	Description
`file`	file	Required	The sysdiagnose archive (.tar.gz, .tgz, or .zip). Sent as multipart form data.
`device_id`	string	Optional	Identifier for the device. Sent as a form field.

curl -X POST https://guard.orbai.world/api/v1/forensics/ios/sysdiagnose/upload \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -F "file=@/path/to/sysdiagnose_2026-01-15.tar.gz" \
  -F "device_id=iphone-14-pro-abc123"

Upload an Android Bugreport

POST/api/v1/forensics/android/bugreport/upload

Upload an Android bugreport for forensic analysis

Authentication:Bearer Token

Parameter	Type	Required	Description
`file`	file	Required	The bugreport — either the .zip produced by `adb bugreport` or a plain bugreport .txt. Sent as multipart form data.
`device_id`	string	Optional	Identifier for the device. Sent as a form field.

# Capture a bugreport with ADB, then upload it
adb bugreport bugreport.zip

curl -X POST https://guard.orbai.world/api/v1/forensics/android/bugreport/upload \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -F "file=@bugreport.zip" \
  -F "device_id=pixel-8-pro-xyz456"

Upload an iOS Backup

POST/api/v1/forensics/ios/backup/upload

Upload an iOS backup archive for forensic analysis

Authentication:Bearer Token

Parameter	Type	Required	Description
`file`	file	Required	A zipped iOS backup. The archive is extracted and scanned across app data, preferences, and system files. Sent as multipart form data.
`device_id`	string	Optional	Identifier for the device. Sent as a form field.

curl -X POST https://guard.orbai.world/api/v1/forensics/ios/backup/upload \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -F "file=@/path/to/ios-backup.zip" \
  -F "device_id=iphone-14-pro-abc123"

Which Endpoint Should I Use?

For a fast triage, start with Quick Check. For a single confirmed artifact, use the shutdown-log or logcat endpoint. For the deepest investigation — correlating multiple artifacts with a timeline — use full analysis here, uploading backups and sysdiagnose archives as needed.

Full Analysis & Artifact Uploads

Comprehensive Forensic Analysis

Inline Data Is Open; Paths Are Service-Only

Uploading Device Artifacts

Upload Limits

Upload an iOS Sysdiagnose Archive

Upload an Android Bugreport

Upload an iOS Backup

Which Endpoint Should I Use?

On this page