ZeroTrace Companion
Known Devices
The merged-identity view of devices seen across MAC randomisation — what the library learned about each one.
The Known Devices view is the human-friendly face of the library. Where the library is comprehensive (every field, every history, every observation), the known-devices view is curated — the devices you have explicitly marked as worth tracking.
Think of it as your "watch list" of devices the AirLeak has seen and you want to remember.
How devices become "known"
Devices enter the known list when:
- You manually mark them — click any device row → Mark as known.
- You assign a friendly name — naming a device implicitly marks it known.
- A capture rule promotes them — some alert rules can auto-promote devices that match (e.g., "any device probing for SSID
home-wifibecomes known").
You can demote a device back to "unknown" at any time.
What the view shows
| Column | What it shows |
|---|---|
| Friendly name | The name you assigned (e.g. "Alice's iPhone") |
| Identity | Best-available technical identifier (Apple model, BLE name, vendor) |
| First seen | Across all time |
| Last seen | Across all time |
| Tags | User-assigned tags |
| Status | Active / quiet / not-seen-recently — derived from last-seen relative to now |
| Session count | How many capture sessions this device has appeared in |
Status: active / quiet / not-seen-recently
The status column is computed:
| Status | Definition |
|---|---|
| Active | Seen in the current live session |
| Recently active | Seen in the last 24 hours |
| Quiet | Last seen 1-7 days ago |
| Not seen recently | Last seen 7-30 days ago |
| Stale | Last seen more than 30 days ago |
Useful for spotting "device that was around every day suddenly stopped showing up" — possibly the user moved out of range, the device died, or the device's randomisation behaviour changed enough to defeat the library's merging.
Pinned to live view
Known devices can be pinned to the live workspace, where they appear in a permanent panel regardless of session activity. Pinning is the right move for:
- Active surveillance-detection work — devices you actively want to be alerted about when they appear.
- Operational targets in an authorised investigation — devices the engagement is interested in.
- Reference devices — your own phone, your laptop, devices you want to confirm coverage on.
Per-device alert rules
For known devices, you can create per-device alert rules:
- Alert when this device appears — the next time this MAC (or merged identity) shows up, fire an alert.
- Alert when this device disappears — the device has been continuously visible for X minutes and then dropped.
- Alert when this device probes for SSID Y — pattern-specific.
Rules are evaluated in real time during live capture. See alerts for the full alert system.
Cross-session view
Click any known device for its cross-session history:
- Sessions appeared in — every capture session the device has been part of.
- Aggregate observations — total across all sessions.
- Per-session observation count — sortable timeline.
- Probed SSID accumulation — every SSID this device has ever asked for, deduped.
- MAC history — every MAC observed, with first / last seen.
The cross-session view is what makes a library entry actionable. You can see "this device has been around for six months, it's been in eight different sessions, and it has probed for the SSIDs home, office, gym — that gives you a strong identity profile.
The cross-session view aggregates real personal data. Use it with appropriate authorisation. Marking devices as "known" is an explicit act — the application gives you the data, you choose what to do with it.
Export
Per-device export of the cross-session aggregate:
- JSON — structured data for scripting.
- Markdown — human-readable for reports.
- PDF — formatted device-history report.
For investigation deliverables, the PDF is the standard format. It includes the friendly name, identity provenance, full session history, and SSID accumulation.
Hiding devices
Some known devices are noise — your own AirLeak's MAC, your own laptop sitting on the desk next to the AirLeak, a static IoT device that contributes no investigative value. Mark these as hidden:
- Hidden devices do not appear in the default views.
- Their events still flow through the system (alerts can still fire on them).
- A toggle in the live view re-shows hidden devices when needed.
Hiding is reversible — devices can be un-hidden at any time.
Bulk operations
The known-devices view supports multi-select for:
- Bulk tagging — apply the same tag to many devices at once.
- Bulk hide / unhide.
- Bulk export — export the selected devices' aggregate histories to one file.
- Bulk delete — remove multiple known-device markers (the underlying library entries persist).
Privacy reminder
The known-devices feature is the most identity-rich part of the AirLeak workspace. The privacy considerations from the library page apply doubly here. Use it within scope and within authorisation; the toolkit gives you capability, the responsibility for use is yours.