fatcousin
// case type

disgruntled employee exit

last-day endpoint snapshot: deletions, USB attach, cloud sync bursts, sabotage indicators (scheduled tasks, hidden accounts).

tools
13
priority
M
processing
local · in browser

start here · primary tools

ordered. work top-down. the first tool is the suggested entry point for this case type.

  1. mass rename detectordrop a file listing or dir output · detect bulk renames within short time windows · flag ransomware extension patterns · visualize rename timeline · export CSV · runs locally
  2. secure deletion detectordrop disk image · wipe patterns · zero ff aa55 fills · high entropy · sdelete eraser hints · heat map · chunked worker scan · runs locally
  3. file shredder remnant and signature scannerdrop mft csv usn journal csv or file listing · detect execution artifacts of file shredding tools · identify sdelete eraser bleachbit cipher patterns · surface files that were securely deleted · runs locally
  4. registry key deletion burst detectordrop registry transaction log or security evtx csv · detect rapid bulk registry key deletion · identify scripted registry cleanup operations · surface anti-forensic registry wiping patterns · runs locally
  5. scheduled task deletion and history clearing detectordrop security system and task scheduler evtx csvs · detect scheduled task deletion · identify task history clearing · surface task creation followed by deletion indicating attacker cleanup · runs locally
  6. service deletion burst detectordrop system evtx csv · detect rapid service deletion patterns · identify attacker persistence mechanism removal · surface service install-then-delete lifecycle indicating attack tool cleanup · runs locally
  7. browser history clearing pattern detectordrop chrome firefox or edge sqlite history db csv · detect history clearing events · identify gaps in browsing timeline · surface clearing timestamps and what was removed · runs locally
  8. PowerShell history clearing detectordrop powershell operational evtx csv or psreadline history file · detect cleared powershell command history · identify gaps in command execution record · surface anti-forensic powershell history manipulation · runs locally

also useful · secondary tools

supporting and follow-up tools. surface as the investigation widens.

  1. windows lnk deep analyzerdrop Windows .lnk shortcut files · parse full shell link structure · target path · command line · machine GUID · volume serial · timestamps · network share · tracker block · export CSV · runs locally
  2. jump list cross-application timeline correlatordrop multiple jlecmd csv exports · unified timeline · cross-app document access · network and removable flags · export csv · runs locally
  3. user workstation affinity mapperdrop months of 4624 logon evtx csv · build statistical profile of which user uses which machine · compute affinity scores · flag when a user logs into an unusual machine · detect account takeover by changed workstation usage · runs locally
  4. evidence of evidence deletion detectordrop mft csv · usn journal · evtx csvs · prefetch csvs · prove that specific forensic artifacts were deliberately destroyed · mft entries for deleted tool execution logs · prefetch for cleanup utilities · usn entries for mass deletions · the meta-forensic layer · runs locally
  5. case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally
// case-kit pipeline

run as a stack

skip the click-through. these presets are curated forensic pipelines you can save as a stack with one click and run on your evidence locally.

  • disgruntled exit — sabotage kit

    8 steps

    drop endpoint snapshot → shredder remnants → deletion bursts → history clearing → meta-deletion → report

    1. 01evidence-manifest-generatorhash the last-day endpoint snapshot before analysis
    2. 02file-shredder-remnant-scannerdetect secure-deletion / shredder tool remnants
    3. 03registry-key-deletion-burst-detectorregistry key deletion bursts — common sabotage pattern
    4. 04scheduled-task-deletion-detectorscheduled task deletion — persistence cleanup or sabotage
    5. 05powershell-history-clearing-detectorPowerShell history clearing on the last day
    6. 06browser-history-clearing-pattern-detectorbrowser history clearing patterns
    7. 07evidence-of-evidence-deletionmeta-forensics: detect evidence-of-evidence deletion itself
    8. 08case-report-generatordraft a report documenting anti-forensics + sabotage indicators
// pattern-matched

related tools

tools that the manifest-classifier flagged as plausibly useful here but that aren't in the hand-curated lists above. less editorial weight — scan, don't work top-down.

+ 216 more in this pattern match. browse the full forensics catalog via the forensics category.

ready