LEGALAUDIT

Mythos capabilities

What you can upload to Mythos

Mythos analyzes nine modalities of digital evidence with specialized forensic tools. From doctored photos to deepfake videos, from phishing emails to pig-butchering WhatsApp chats: every asset becomes a cited verdict with SHA-256 chain of custody.

Nine forensic analysis modalities

Image

jpg · png · webp · heic

Doctored photos, fake brands, visual deepfakes.

  • Deep EXIF, IPTC, XMP metadata (camera + editor + GPS leak)
  • Brand recognition: Poste, Intesa, INPS, Carabinieri + 50 other brands
  • Error Level Analysis and copy-move/splice detection
  • OCR + extraction of IBANs, phone numbers, URLs, amounts, urgency words
  • JPEG quantization: native camera vs editor vs WhatsApp recompressed
  • Steganography (binwalk) and C2PA Content Credentials
  • Reverse image search on Google Lens
  • Hash reputation on VirusTotal (2500 queries/day pool)

PDF

signed documents, invoices, contracts

Embedded JavaScript, forged signatures, hidden attachments.

  • Embedded JavaScript extraction and OpenAction/Launch detection
  • Embedded files inventory
  • Digital signature validation (PAdES/CAdES)
  • Brand impersonation against 50+ known logos
  • Hash reputation on VirusTotal

Office

DOCX · XLSX · PPTX

VBA macros, DDE injection, disguised polyglots.

  • VBA macro decompilation with olevba
  • DDE injection detection
  • Hidden sheets and external template-injection links
  • Embedded OLE objects and hidden text
  • Polyglot detection (JAR/APK disguised as Office)

Email

EML · MSG

Forged headers, brand impersonation, unauthenticated sender.

  • SPF, DKIM, DMARC verdicts
  • ARC seal validation and BIMI verification
  • DKIM key tenure (anti-rotation abuse)
  • Received-chain anomalies (backwards timestamps = forged headers)
  • Header order analysis (fake MUA fingerprints)

URL

any suspicious domain or link

Phishing, malware drop, crypto drainers.

  • DNS posture and TLS posture
  • Multi-source reputation: urlscan.io + VirusTotal
  • Threat-intel aggregate score
  • Chainabuse for crypto-adjacent URLs (rug-pull, drainer)

Audio

mp3 · wav · m4a · ogg · opus · flac

Cloned voices, synthetic audio, vishing scams.

  • Full ffprobe metadata
  • Full transcription with Mythos audio engine
  • Voice-clone detection: mean volume, spectral flatness, ElevenLabs/PlayHT/Coqui tag scan
  • IBAN, phone, URL, urgency extraction from transcript

Video

mp4 · mov · webm · mkv

Deepfake video, fake CEOs, AI-generated blackmail.

  • ffprobe metadata and per-second frame sampling
  • Per-frame brand recognition
  • Audio-track transcription with Mythos audio engine
  • Deepfake heuristics: blink-rate proxy, frame-rate uniformity, A/V sync drift
  • Encoder-tag scan for Sora, Runway, Pika, HeyGen, DeepFaceLab

Chat export

WhatsApp .txt · Telegram .json

Pig-butchering, money mule, 'Hi mum', grooming.

  • Participants, timeline, per-participant message counts
  • IBAN, phone, URL, amount, urgency extraction
  • Scam composite: pig-butchering, money-mule pressure
  • Family impersonation 'Hi mum' and asymmetric grooming ≥70%
  • Telegram VIP/trading channel detection

Archives and mobile

APK · IPA · RAR · 7Z · ISO · CAB · MSI · TAR · .mobileconfig

Banking trojans, rogue MDM, malicious root CAs.

  • APK static: binary AndroidManifest, signing cert, dangerous-permission scan (banking trojan)
  • IPA static: Info.plist + provisioning entitlements
  • .mobileconfig: root CA install, MDM enrolment, forced VPN detection
  • RAR/7Z/ISO/CAB archives with polyglot detection

Plus, in every analysis

Crypto addresses

BTC, ETH, TRX, SOL, LTC, BCH, XMR, XRP. Reputation on Blockstream, Etherscan V2, Tronscan, Chainabuse.

Phone numbers

libphonenumber-js for E.164, NumVerify for carrier, Tellows for scam-score.

388 international scam patterns

ScamWatch knowledge base in 7 languages: Italian, English, German, French, Spanish, Dutch, Polish.

Court-grade dossier

Expert report for the prosecutor with public-verify QR and WORM tamper-evident audit chain.

Technology under the hood

  • Mythos audio engine
  • Mythos retrieval embeddings
  • exiftool
  • olevba
  • ffmpeg
  • pgvector
  • Mythos forensic engine
  • C2PA
  • urlscan.io
  • VirusTotal
  • Chainabuse
  • Etherscan
  • NumVerify
  • Tellows
  • Google Lens
  • libphonenumber-js

How the chain of custody works

  1. 1

    Upload

    SHA-256 hash computed on intake, ClamAV scan, intake signals recorded.

  2. 2

    Multi-dimensional analysis

    Specialized forensic tools per modality: EXIF, olevba, ffmpeg, Mythos audio engine, urlscan, brand match.

  3. 3

    TriageCard verdict

    LOW/CAUTION/HIGH-RISK verdict with evidence citations and operational nextSteps.

  4. 4

    WORM audit chain

    Public anchor on /verify with tamper-evident hash chain. PAdES-signed expert report on request.

Ready to verify your evidence?

Free triage now. Forensic dossier included with the Pro subscription from CHF 29/month when you need a defensible PDF.