FORENSICMETHODOLOGY

How we conduct investigations. Every claim is reproducible. Every finding is verifiable. No anonymous sources.

//CORE_PRINCIPLES

REPRODUCIBILITY

Every finding can be independently verified. We provide the exact conditions, tools, and steps needed to reproduce our results.

CHAIN_OF_CUSTODY

All evidence is cryptographically hashed and timestamped. Forensic packages include SHA256 hashes for integrity verification.

ADVERSARIAL_TESTING

We actively seek to disprove our findings. Only claims that survive rigorous counter-testing are published.

//INVESTIGATION_PROCESS

Network Traffic Capture

We capture all network requests from a clean browser profile using Chrome DevTools Protocol. HAR files preserve the complete request/response cycle with precise timing data.

Tools: Chrome DevTools, mitmproxy, Wireshark

Script Deobfuscation

Third-party scripts are extracted and deobfuscated to reveal their true behavior. We document every data collection mechanism and transmission endpoint.

Tools: AST parsing, de4js, manual analysis

Timeline Reconstruction

We establish precise timing of events: when scripts load, when data is captured, when consent banners appear. This reveals the 'liability gap' - unauthorized collection that occurs before consent.

Tools: Performance.timing, Resource Timing API, Network timestamps

Payload Analysis

All transmitted data is decoded, documented, and categorized. We identify PII, behavioral data, device fingerprints, and third-party enrichment calls.

Tools: Email hashes, IP, User-Agent, Canvas fingerprints, WebGL

Evidence Packaging

Findings are compiled into forensic evidence packs with chain-of-custody hashes. Packages include HAR files, deobfuscated source, screenshots, and timeline data.

Tools: ZIP with SHA256 manifest, PDF report, JSON timeline

//FROM_SIGNAL_TO_EXPLOIT_CHAIN

FROM SIGNAL TO EXPLOIT CHAIN

Detection alone does not guarantee escalation. A finding becomes a BTI advisory when there is a demonstrable exploit path and consequence.

SIGNAL

What we observed: pixels, cookies, network endpoints, script behavior, obfuscation patterns.

Example:

Keystroke capture before form submit

EXPLOITABILITY

What can be done with it: PII capture, attribution distortion, identity graph abuse, consent bypass.

Example:

Email captured and hashed to third-party before consent

IMPACT

The consequence: privacy violation, legal liability, revenue distortion, security exposure.

Example:

GDPR violation, $10K+ per incident liability exposure

This is why we're not a "security rating." Security ratings give you 10,000 yellow warnings. We give you a focused list of what's exploitable now, with the evidence chain to prove it.

//WHAT_WE_DON'T_DO

No Anonymous Sources

We don't publish claims based on unnamed insiders or leaked documents without independent technical verification.

No Speculation

Findings are limited to what we can technically demonstrate. We don't infer intent or speculate on business motivations.

No Pay-for-Play

Vendors cannot pay to influence findings, delay publication, or have investigations removed.

No Embargo Violations

If we responsibly disclose to a vendor before publication, we honor the agreed timeline.

SEE IT IN ACTION

Review our published investigations to see this methodology applied to real-world cases.

VIEW_INVESTIGATIONS BTI_DATABASE