Peak  ·  Help

Reading the Report

Peak shows scan findings in a sidebar next to the live conversation. None of it is on disk until you click Export.

Where to look

When a thread is open in the conversation pane and you've clicked Scan selected, a Findings sidebar appears on the right. Each finding shows:

• Category badges (color-coded by severity)
• Sender + UTC timestamp
• Matched term(s) that triggered the flag
• Message text with the matched terms highlighted in yellow
• AI rating (macOS 26+ only) — a 0–3 concern level + one-sentence reasoning

Click any finding to scroll the conversation pane to that message and highlight it briefly.

Exporting

The Export ▾ menu at the top of the Findings sidebar offers three options:

1. Forensic PDF… — the entire conversation as a printable, chain-of-custody PDF
2. Review PDF + CSV… — a summary of just the flagged messages, plus the same data as a spreadsheet
3. Findings CSV… — just the data, no PDF

Each option opens a Save dialog so you control where the file lives. Finder reveals the file after the export completes.

The forensic PDF

iMessage-style bubbles, blue for "Me" (the phone's owner) and gray for the other side. Every message has a small gray line of metadata beneath it:

483F49F5-3FCE-4BFE-BCAA-5B65ABEBE98C · iMessage · 2026-05-18T23:54:44.326908Z · row 34831

What each part means:

• GUID — a unique ID for that exact message, the same one stored on the iPhone
• service — iMessage or SMS (whether it went over Apple's encrypted channel or as a regular text)
• timestamp — full UTC time including microseconds; you can convert to local time mentally or with a tool
• row — the SQLite row ID in the phone's database (useful if you ever want to verify against the raw data)

Special elements

• Day dividers between dates: a centered gray line that says e.g. Wednesday, May 18, 2026.
• Reactions (Loved, Liked, Disliked, Laughed, Emphasized, Questioned) appear as a small line attached to the parent message with the reactor's name and timestamp, just like in iMessage. They are not rendered as separate messages.
• Replies show a quoted snippet of the parent message above the new bubble, prefixed with ↩ In reply to <sender>: "...".
• Unsent messages (iOS 16+) appear as a bubble that reads [message unsent by sender] with the original timestamp preserved.
• Edited messages are marked. If iOS captured the edit history, it appears below the bubble.
• Images are embedded inline at the position they were sent. They're also embedded as PDF file attachments, so the original bytes are preserved alongside the rendering.
• Videos show a poster frame (the first frame of the video) with a play-triangle overlay and the caption ▶ <filename> — derived preview (full file embedded in PDF). The original .mov is attached to the PDF — extract it from a PDF viewer's attachments panel to play.
• [text recovered from attributedBody typedstream] — appears under a message when its text had to be parsed from iOS 16+'s binary text format because the older plain-text column was empty. This is a transparency marker. The text is correct (or as correct as the parser could make it) but you should know it came from a derived source.

The forensic manifest (last page)

Every forensic PDF ends with a Forensic Manifest page. It lists:

• Generation date and tool version
• Source backup: path on disk, UDID, device name, last backup date
• sms.db SHA-256 hash and size (so you can verify the source database wasn't tampered with)
• Chat GUID, identifier, display name, participant handles
• Counts: messages rendered, reactions attached, attachments embedded
• For each embedded attachment: filename, MIME type, byte size, SHA-256 hash

The manifest is what makes the PDF defensible if you ever need to use it for serious purposes (school disciplinary process, family court, etc.). Anyone with access to the source backup can recompute the SHA-256 hashes and verify the data hasn't been altered.

The review PDF

Page 1 is the summary:

• Thread name, generation date, backup path, sms.db SHA-256
• A short disclaimer: this is a lexicon-based first pass, expect both false positives and false negatives, it's a queue for human review
• A table of categories with hit counts
• A breakdown by sender showing per-category counts (useful for "who's saying this")

Page 2+ is flagged messages in chronological order. Each entry has:

• One or more colored category badges
• Sender name, full UTC timestamp, matched term(s), and page number in the forensic PDF
• The message text with offending substrings highlighted
• → Jump to message in main PDF — a clickable link
• The GUID, service, and row number for cross-reference

Categories and colors

| Category | What it catches | Color | |---|---|---| | profanity | swearing | amber | | sexual | sex acts, body parts, nudes, hookup talk | pink | | slurs | racial, ethnic, anti-LGBT, ableist slurs | dark red | | drugs | weed, vapes, opioids, MDMA, drug-buying slang | purple | | alcohol | drinking, fake IDs, blackout slang | brown | | violence_threats | "kill you", "shoot up", weapon names | red | | self_harm | "kms", suicide, cutting, pro-ana/mia | near-black | | predatory_grooming | "don't tell your parents", "our secret", asking for pics | crimson | | personal_info_sharing | sharing address, SSN, credit card, passwords | blue |

Categories are ranked by severity in that order — self-harm and grooming float to the top of the list.

Clicking a finding to jump

In Adobe Acrobat Reader (free), clicking → Jump to message in main PDF opens the forensic PDF directly at the message's bubble. Acrobat honors PDF named destinations (#msg-GUID) and cross-document links.

In Preview.app (macOS's built-in viewer), Apple's PDF library doesn't fully implement cross-document named destinations. Clicking the link opens the forensic PDF but lands on the first page rather than the right one. As a workaround, the page number is printed in the entry header (page 5). Open the forensic PDF and jump to that page manually (⌘G in Preview).

If you don't have Acrobat installed and you want clickable jumps to work, install Adobe Acrobat Reader DC (free) from adobe.com.

The CSV

The CSV is one row per flagged message:

| Column | Meaning | |---|---| | timestamp_utc | ISO 8601 UTC time | | sender | "Me" or the phone/email handle | | service | iMessage / SMS | | categories | pipe-separated list (e.g. profanity\|slurs) | | matched_terms | pipe-separated terms that triggered | | message_text | full message text | | message_guid | unique ID | | rowid | SQLite row ID | | page_in_main_pdf | page in the forensic PDF |

Open it in Numbers or Excel. Sort by categories to group by type. Sort by sender to see who's saying what. Filter to one category to triage in batches.

A note on judgment

A flag is not a verdict. The wordlist scanner can't tell the difference between:

• A friend joking "you have a fat ass" and a stranger saying "send me a pic of your ass"
• "Bro that test was killing me" and "I'm going to kill myself"
• "We drank so much water at practice" and "We blacked out at the party"

That's your job. Use the forensic PDF for context. Read the messages around the flag. If a category is generating mostly noise, silence it in settings.

The goal of the report isn't to tell you what to do. It's to put a small list in front of you instead of a 14,000-message thread, so you have a fighting chance of catching something that matters.

Next: Tuning the Wordlist.