Inspectrum is a compact, pragmatic tool for inspection and manual demodulation of recorded IQ captures. For signal forensics it is most valuable as an investigator’s microscope: quick visualization, measuring symbol timing, extracting symbol streams, and exporting narrow slices of raw samples for downstream analysis. This tutorial walks through a forensic workflow from a raw capture to extracted symbols and preserved artifacts you can hand off to analysts.

Prerequisites and formats

  • A recorded IQ file from your SDR. Inspectrum supports common on-disk IQ formats including SigMF paired files, complex float and common integer interleaved IQ blobs such as .cf32/.cfile, .cs16, .cu8 and real formats as well. Use the format that preserves original resolution.
  • A known sample rate. If you capture with GNU Radio, osmocom_fft, or similar, note the sample rate and store it next to the file or in SigMF metadata. Inspectrum can be started with a sample rate parameter or set inside the GUI.
  • Chain of custody basics. For any forensic workflow keep the raw file immutable, compute a SHA512 or SHA256 hash, and if possible write SigMF metadata describing capture time, device, sample rate, operator, and location. SigMF is recommended for packaging samples and metadata.

Getting started

1) Store and checksum the raw capture.

  • Immediately compute and record a SHA512 hash for the raw file. If you will use SigMF, include the checksum and recorder fields in the .sigmf-meta file so downstream users can verify integrity.

2) Launch Inspectrum and open the file.

  • From a shell: inspectrum /path/to/file
  • If you prefer to force a sample rate at open: inspectrum -r 2000000 /path/to/file
  • If the GUI is used, confirm the sample rate in the left Controls panel matches your capture. A mismatch will stretch or compress timing measurements.

Initial triage: find interesting bursts

  • Zoom and pan the spectrogram to find bursts. Adjust FFT size and dynamic range early to reveal weak signals. Smaller FFTs increase time resolution, larger FFTs increase frequency resolution. Start conservative then refine.
  • Use the transparent filter rectangle to select a frequency region of interest. That limits derived plots and improves amplitude traces for pulsed or narrowband signals.

Creating derived plots for demodulation

Inspectrum supports derived plots which are the key to turning visual features into measurable symbols.

  • Right click on the spectrogram and add an “Amplitude plot” derived from a filtered region. This collapses energy in your filter band into a time series useful for pulse OOK or ASK analysis.
  • Add a “Threshold plot” derived from the amplitude plot. Thresholding converts the analog amplitude trace into a binary decision useful for symbol extraction. Tune the threshold so pulses are cleanly above and below it. Practical tip: move the center line of the filter rectangle so the amplitude plot shows a clear DC-free envelope before thresholding.
  • For FSK or sweep-based signals, add a frequency-derived plot and then threshold that to detect shifts. For phase or complex modulations, use phase or IQ plots to inspect constellation stability.

Measuring symbol rate and aligning cursors

  • Enable cursors in the Controls panel. Set the cursors to symbol mode and expand the cursor window to cover a presumed single symbol. Increase or decrease the symbols count until the cursor grid lines up with the pulses or waveform transitions. This gives you symbol period and symbol rate. Practical forensic step: record the exact cursor settings and screenshot them.
  • Use the symbol cursor measurement to compute baud rate precisely. For example, if the cursor width reads 400 microseconds the symbol rate is 2500 symbols per second. Record units and the sample rate used for these measurements.

Extracting symbols and exporting

  • Once the threshold plot and cursor are tuned, use Extract symbols from the threshold plot. You can copy to clipboard or export to file. The output is typically a comma separated list of 0 and 1 values or a raw bit stream depending on the chosen option.
  • If you need the raw IQ slice for downstream decoding or reproduction, use Export selected time period or Export samples. Choose the smallest window that contains the full burst to reduce file size while preserving the event. Inspectrum can export filtered or demodulated data as well. Document the exact export parameters.
  • Example workflow used in many writeups: capture .cfile with osmocom_fft, open in Inspectrum, add amplitude and threshold plots, align cursor for symbol period, Extract symbols to clipboard, then decode bit patterns with a short Python snippet. This is a repeatable pattern across many OOK and ASK reverse engineering tasks.

Post-extraction analysis tips

  • Clean the symbol stream. Many remote keyfob and garage protocols use run-length encoding or multi-symbol pulses per logical bit. Look for preambles and repeating patterns to identify framing and bit stuffing. Treat symbol timing variability conservatively.
  • Convert extracted symbols to hex or binary blocks for comparison across captures. Keep the original symbol alignment documented. A common one-liner approach is to join the CSV symbols and convert the binary string to hex using a small Python script. Several public writeups show this exact step and it is useful when sharing indicators.

Forensic hygiene and reporting

  • Preserve the raw file. Never edit the original capture. Work on copies and write clear metadata about all transformations. Use SigMF to store metadata and SHA hashes alongside the data file to preserve provenance.
  • Document every Inspectrum parameter used for extraction: FFT size, overlap, filter center and width, amplitude scaling, threshold value, cursor symbol period and number, and export time indices. Screenshots of the Inspectrum view are highly valuable because they show visual alignment of symbols.
  • Include exported sample slices and the extracted symbol CSV in your forensic package. Note tool versions where possible. If you built or installed Inspectrum from packages or source, record that too.

Limitations and gotchas

  • Inspectrum is manual by design. It excels at visual inspection and one-off extraction but is not a fully automated demodulator for messy channels. Use it to characterize and extract training samples or to build automated decoders afterward.
  • Sample rate mismatches and DC offsets can distort timing and thresholding. Always confirm and, if possible, cross-check symbol durations against multiple captures.
  • Be mindful of legal boundaries. Capturing or decoding signals you do not own can be illegal in many jurisdictions. For forensics in a lawful investigation, ensure proper authorization and documented chain of custody.

Closing notes

Inspectrum is a focused, effective tool for RF signal forensics when used with care. Its strength is immediate visual feedback and a tight path from spectrogram to extracted symbols. Combine it with robust capture practices, SigMF metadata, and scripted post-processing for repeatable, defensible forensic results. The references below include the upstream project pages and example writeups that demonstrate the steps shown here.