Mobile triage for Android and iOS

Escalation

Trusted partners only

This service is offered to trusted partners only. Please reach out first so we can make an introduction before using this workflow.

BARGHEST conducts DFIR for trusted partners who are concerned about spyware and need forensic support. We are not actively a threat lab. This service exists for our partners: helplines, journalists, activists, and threat labs themselves. To escalate issues for manual triage and, where needed, deeper forensic analysis.

If you are not already in contact with us, please email info@barghest.asia to introduce yourself and your case before sending any diagnostic data.

Before you begin

This page explains how to collect diagnostic data for manual triage by BARGHEST. These artefacts can help us identify suspicious behaviour, indicators of compromise, exploit-related crashes, unusual network activity, or other signs that a device may require deeper forensic review.

Diagnostic bundles should be treated as sensitive forensic artefacts. They generally do not contain full message histories, photos, or encrypted app data, but they may include device identifiers, app usage metadata, network endpoints, Wi-Fi names, email addresses, contact references in logs, and other contextual information.

When possible, encrypt your submission using our PGP key before sending it to info@barghest.asia .

Before submitting diagnostic data, please read our research and DFIR privacy policy , which explains how we handle forensic artefacts, investigation data, retention, sharing, and security safeguards.

Choose your device

Android

Collect a full Android bug report. This creates a .zip file containing system logs, crash traces, process state, installed app metadata, permissions, network summaries, and device configuration.

Open Settings → About phone.
Tap Build number 7 times to enable Developer Options.
Go to Settings → Developer Options → Take bug report.
Select Full report.
Wait for the report to complete. This may take several minutes.
Save the generated bugreport.zip.
Disable Developer Options after collection.

Advanced users may also collect the report with adb bugreport from a trusted computer.

iOS

Collect an iOS sysdiagnose. This creates a diagnostic bundle containing system and application logs, crash reports, analytics logs, networking state, and process/service metadata.

Press Volume Up, Volume Down, and the Side button at the same time.
Hold briefly, around 1 second, then release when you feel a vibration.
Wait 5-10 minutes. There may be no visible progress indicator.
Open the Files app.
Check On My iPhone → Logs, CrashReporter, DiagnosticLogs , or Analytics Data.
Find the newest file named like sysdiagnose_YYYY.MM.DD_HH-MM-SS.tar.gz.
Compress the sysdiagnose file into a .zip before sending if your mail client or encryption workflow requires a ZIP container.

Android Pixel intrusion logging

If you use a supported Pixel device with Android Advanced Protection Mode and Intrusion Logging enabled, you may also be able to share Android Intrusion Logging data. This can provide additional consensual forensic visibility into events such as device unlocks, ADB interactions, package installation or removal, DNS lookups, and network connections.

Intrusion Logging is not a retroactive collection method. It only helps if it was enabled before the suspicious event or high-risk period. It also requires Android 16 or later, a supported Pixel device, and a Google account. Because these logs may include sensitive information such as browsing or network history, share them only with trusted forensic analysts and use encrypted transfer where possible.

Open Settings → Security & privacy → Advanced Protection.
Confirm Device protection is enabled.
Open Intrusion Logging and confirm it is enabled.
If you need to export logs, open Intrusion Logging → Access logs.
Select Download and decrypt, then approve the request with your PIN or biometric authentication.
Open the Files app and go to Downloads → Intrusion Logging.
Compress the downloaded logs into a ZIP and send them with your Android bug report where possible.

Background: Amnesty International Security Lab has published a technical briefing on Android Intrusion Logging as a source of consensual forensic data .

Send the file

Send the collected ZIP to info@barghest.asia. Include the device type, approximate time of suspected activity, your preferred contact method, and a short description of what prompted the escalation. By sending diagnostic data, you acknowledge our research and DFIR privacy policy .

If the ZIP is too large for email, contact us first and do not upload it to public file-sharing services. We will agree a safer transfer method.

PGP public key

Use this key for encrypted submissions to info@barghest.asia .

What happens next

BARGHEST will parse logs and system artefacts, identify anomalies or potential indicators of compromise, correlate events across system components, and provide an initial assessment where possible.

Initial outcomes may include no findings, suspicious activity, or a recommendation for deeper review.

Escalation to deeper forensics

If a credible threat is identified, BARGHEST may ask to escalate to deeper forensic analysis using MESH .

Deeper analysis may support secure remote ADB over an encrypted mesh network, live system interrogation, targeted artefact collection, network traffic capture, and integration with tools such as MVT or AndroidQF.

This escalation is only requested when needed. Bug reports and sysdiagnose files are static snapshots; advanced threats may clean up traces, operate intermittently, or avoid logging. Live analysis can provide higher-confidence findings when a snapshot is not enough.