Quick Device Check

Perform a rapid forensic check on iOS or Android device data, and query available forensic analysis capabilities.

Quick Device Check

Perform a rapid forensic scan on device data without specifying the exact artifact type. OrbGuard automatically detects the data format and runs a streamlined analysis optimized for speed. This endpoint provides faster results with slightly lower accuracy compared to the dedicated shutdown-log and logcat endpoints.

POST/api/v1/forensics/quick-check

Perform a rapid forensic check on device data for both iOS and Android

Authentication:Bearer Token
ParameterTypeRequiredDescription
platformstring RequiredThe device platform. Must be one of: ios, android
datastring RequiredBase64-encoded device data (shutdown log, logcat dump, or other supported artifacts)

Quick Check vs. Full Analysis

The quick check endpoint is designed for real-time scanning scenarios where speed is more important than exhaustive analysis. It typically completes in 2-5 seconds compared to 10-60 seconds for full analysis. For the most thorough results, use the dedicated iOS shutdown log or Android logcat endpoints.

# Quick check an iOS device
DEVICE_DATA=$(base64 -i /path/to/shutdown.log)

curl -X POST https://guard.orbai.world/api/v1/forensics/quick-check \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d "{
    \"platform\": \"ios\",
    \"data\": \"$DEVICE_DATA\"
  }"
200Quick forensic check complete
{
  "id": "scan_quick_5a6b7c8d9e0f",
  "device_id": null,
  "platform": "ios",
  "scan_type": "quick_check",
  "started_at": "2026-02-08T10:30:00Z",
  "completed_at": "2026-02-08T10:30:03Z",
  "duration_ms": 3200,
  "total_anomalies": 1,
  "critical_count": 1,
  "high_count": 0,
  "medium_count": 0,
  "low_count": 0,
  "anomalies": [
    {
      "id": "anom_quick_001",
      "type": "suspicious_process",
      "severity": "critical",
      "confidence": 88,
      "title": "Potential Pegasus Process Signature",
      "description": "Process name matching known Pegasus artifact detected in quick scan. Run full shutdown log analysis for detailed confirmation.",
      "path": "/private/var/db/com.apple.xpc.roleaccountd.staging/bh",
      "process_name": "bh",
      "process_pid": null,
      "timestamp": "2026-01-15T03:22:14Z",
      "mitre_techniques": ["T1059"],
      "evidence": "Quick scan pattern match on known Pegasus binary name"
    }
  ],
  "timeline": [
    {
      "timestamp": "2026-01-15T03:22:14Z",
      "event": "Potential Pegasus process detected",
      "severity": "critical"
    }
  ],
  "infection_likelihood": 0.82,
  "detected_threats": [
    {
      "name": "Pegasus (preliminary)",
      "type": "pegasus",
      "confidence": 0.82
    }
  ],
  "recommendations": [
    "Quick scan detected potential Pegasus indicators. Run a full iOS shutdown log analysis for confirmation.",
    "Do not reset or modify the device until full analysis is complete.",
    "Enable Lockdown Mode immediately as a precautionary measure."
  ]
}
400Invalid platform or data
{
  "success": false,
  "error": {
    "code": "VALIDATION_ERROR",
    "message": "Invalid platform. Must be one of: ios, android"
  }
}

List Forensic Capabilities

Query the available forensic analysis capabilities, supported platforms, artifact types, and detected threat categories. Use this endpoint to discover what analysis types are available and their current status.

GET/api/v1/forensics/capabilities

List all available forensic analysis capabilities and supported platforms

Authentication:Bearer Token
curl -X GET https://guard.orbai.world/api/v1/forensics/capabilities \
  -H "Authorization: Bearer YOUR_API_KEY"
200Forensic capabilities listing
{
  "ios": {
    "shutdown_log": {
      "name": "iOS Shutdown Log Analysis",
      "description": "Analyze iOS shutdown.log for Pegasus and mercenary spyware artifacts",
      "endpoint": "/api/v1/forensics/ios/shutdown-log",
      "upload_endpoint": "/api/v1/forensics/ios/shutdown-log/upload",
      "supported_versions": "iOS 14.0+",
      "max_file_size_mb": 50,
      "avg_processing_time_ms": 12000,
      "status": "active"
    },
    "backup": {
      "name": "iOS Backup Analysis",
      "description": "Deep analysis of iOS backup archives for spyware traces across app data, preferences, and system files",
      "endpoint": "/api/v1/forensics/ios/backup",
      "supported_versions": "iOS 14.0+",
      "max_file_size_mb": 500,
      "avg_processing_time_ms": 60000,
      "status": "active"
    }
  },
  "android": {
    "logcat": {
      "name": "Android Logcat Analysis",
      "description": "Analyze Android logcat dumps for spyware, stalkerware, and suspicious process activity",
      "endpoint": "/api/v1/forensics/android/logcat",
      "upload_endpoint": "/api/v1/forensics/android/logcat/upload",
      "supported_versions": "Android 10+",
      "max_file_size_mb": 50,
      "avg_processing_time_ms": 18000,
      "status": "active"
    }
  },
  "threats_detected": [
    "pegasus",
    "predator",
    "reign",
    "candiru",
    "quadream",
    "stalkerware",
    "generic_spyware",
    "unknown_apt"
  ],
  "version": "2.4.1"
}

Capability Discovery

Use this endpoint to dynamically determine which analysis types are available before submitting data. The status field indicates whether a capability is active, beta, or maintenance.

Android Logcat Analysis

Previous Page

SMS Protection

Next Page

On this page

Quick Device Check
List Forensic Capabilities