Mobile device forensics & digital investigation

PiRogue tool suite (PTS) provides a platform combining analysis tools, knowledge management, incident response management and artifact management, which allows NGOs with limited resources to equip themselves at a low cost. The project consists of an open-source tool suite that provides a comprehensive mobile device forensics and network traffic analysis platform targeting mobile devices, both for Android and iOS.

Open-source AGPL v3 Licensed. GitHub

Getting started >>


The PiRogue is an open hardware device based on a Raspberry Pi operating as a network router analyzing network traffic in real time. The PiRogue helps analysts to detect the potential compromise of a mobile device and to have more information allowing them to detect more easily the potential threats represented by a mobile application.

Network traffic capturesupportedsupported
Network traffic analysissupportedsupported
Deep packet inspectionsupportedsupported
Threat detectionsupportedsupported
Stalkerware detectionsupportedsupported
TLS traffic decryptionsupportednot yet
Socket activity tracingsupportednot yet
AES operations tracingsupportednot yet
Device backupsupportedsupported
Device forensic analysissupportedsupported


Colander is an incident response and knowledge management platform, delivered as a cloud-agnostic software stack, that organizations can deploy. It takes events (such as network flows, Suricata alerts), artifacts (such as PCAPs, APKs), observables extracted from artifacts or from 3rd-party providers, and turns them into browsable knowledge. Organized in cases, knowledge is then processed to automatically generate reports, detection rules and intelligence feeds.

  • Organize knowledge in different cases
  • Invite team member to collaborate to cases
  • Represent the real world with generic entities
  • Graph knowledge using the web graph editor
  • Write documentation at anytime
  • Import intelligence from VirusTotal or OTX Alien Vault
  • Collect and sign artifacts directly from PiRogue
  • Analyze decrypted network traffic and payloads
  • Decode network payload with CyberChef
  • Apply Yara rules directly on the network traffic
  • Ensure artifact integrity and authenticity
  • Generate comprehensive data transmission report
  • Create feeds to export findings in different formats


" PiRogue and Colander tools from the PiRogue Tool Suite were instrumental for our project in conducting the analysis and identifying privacy violations in the mobile apps.
As strategic litigators, it is crucial for us to collect solid evidence of privacy violations to support our arguments during the procedure. The two tools provide a comprehensive setup for mobile app investigations and are open source.
PiRogue helps record network traffic and other evidence such as cryptographic activity, SSL keylog files, socket activity, and even a screencast of the app from the viewpoint of the app user. Thanks to Colander, we were able to analyse the entire network traffic of the apps tested and identify suspicious activities. Both tools are intuitive to use and deliver reliable results.
As an NGO, we highly value the tool's reliability and accessibility, as it empowers us to investigate mobile apps that would otherwise be very difficult to explore.

PiRogue Tool Suite received support from

Logo of Digital Defenders Partnership
Logo of Open Technology Fund
Logo of Defensive Lab Agency