Quick Device Check
Perform a rapid forensic check on iOS or Android device data, and query available forensic analysis capabilities.
Quick Device Check
Perform a rapid forensic scan on device data without specifying the exact artifact type. OrbGuard automatically detects the data format and runs a streamlined analysis optimized for speed. This endpoint provides faster results with slightly lower accuracy compared to the dedicated shutdown-log and logcat endpoints.
/api/v1/forensics/quick-checkPerform a rapid forensic check on device data for both iOS and Android
| Parameter | Type | Required | Description |
|---|---|---|---|
platform | string | Required | The device platform. Must be one of: ios, android |
log_data | string | Required | The plain-text device data to scan (an iOS shutdown log or an Android logcat dump). Not Base64-encoded. |
Quick Check vs. Full Analysis
The quick check endpoint is designed for real-time scanning scenarios where speed is more important than exhaustive analysis. It typically completes in 2-5 seconds compared to 10-60 seconds for full analysis. For the most thorough results, use the dedicated iOS shutdown log or Android logcat endpoints.
# Quick check an iOS device (plain-text log, no Base64)
curl -X POST https://guard.orbai.world/api/v1/forensics/quick-check \
-H "Authorization: Bearer YOUR_TOKEN" \
-H "Content-Type: application/json" \
--data-binary @<(jq -Rs '{platform:"ios", log_data:.}' /path/to/shutdown.log){
"id": "scan_quick_5a6b7c8d9e0f",
"device_id": null,
"platform": "ios",
"scan_type": "quick_check",
"started_at": "2026-02-08T10:30:00Z",
"completed_at": "2026-02-08T10:30:03Z",
"duration_ms": 3200,
"total_anomalies": 1,
"critical_count": 1,
"high_count": 0,
"medium_count": 0,
"low_count": 0,
"anomalies": [
{
"id": "anom_quick_001",
"type": "suspicious_process",
"severity": "critical",
"confidence": 88,
"title": "Potential Pegasus Process Signature",
"description": "Process name matching known Pegasus artifact detected in quick scan. Run full shutdown log analysis for detailed confirmation.",
"path": "/private/var/db/com.apple.xpc.roleaccountd.staging/bh",
"process_name": "bh",
"process_pid": null,
"timestamp": "2026-01-15T03:22:14Z",
"mitre_techniques": ["T1059"],
"evidence": "Quick scan pattern match on known Pegasus binary name"
}
],
"timeline": [
{
"timestamp": "2026-01-15T03:22:14Z",
"event": "Potential Pegasus process detected",
"severity": "critical"
}
],
"infection_likelihood": 0.82,
"detected_threats": [
{
"name": "Pegasus (preliminary)",
"type": "pegasus",
"confidence": 0.82
}
],
"recommendations": [
"Quick scan detected potential Pegasus indicators. Run a full iOS shutdown log analysis for confirmation.",
"Do not reset or modify the device until full analysis is complete.",
"Enable Lockdown Mode immediately as a precautionary measure."
]
}{
"error": "invalid request body"
}List Forensic Capabilities
Query the available forensic analysis capabilities, supported platforms, artifact types, and detected threat categories. Use this endpoint to discover what analysis types are available and their current status.
/api/v1/forensics/capabilitiesList all available forensic analysis capabilities and supported platforms
curl -X GET https://guard.orbai.world/api/v1/forensics/capabilities \
-H "Authorization: Bearer YOUR_TOKEN"{
"ios": {
"shutdown_log": true,
"backup": true,
"data_usage": true,
"sysdiagnose": true
},
"android": {
"logcat": true,
"app_analysis": true
},
"general": {
"full_analysis": true,
"quick_check": true,
"ioc_scanning": true
},
"version": "1.0.0",
"supported_platforms": ["ios", "android"]
}Capability Discovery
Each boolean indicates whether that analysis path is available in the running engine. Pair this with GET /api/v1/forensics/iocs/stats to see how many spyware indicators of compromise are currently loaded.