// case type
healthcare data breach
PHI exposure, EHR audit gap, DICOM exfil, HIPAA notification scoping. very specific evidence demands.
start here · primary tools
ordered. work top-down. the first tool is the suggested entry point for this case type.
- dicom medical imaging metadata forensic analyzerdrop dicom files · parse metadata tags · extract patient equipment data · detect anonymization failures · runs locally
- microsoft access database forensic analyzerdrop mdb or accdb files · parse jet database structure · extract tables · recover deleted records · vba macro scan · runs locally
- office365 audit log analyzerdrop m365 unified audit log json or csv · flag inbox forward rules · mailbox forwarding · bulk downloads · global admin role adds · high-scope consent · audit log disabled · runs locally
- microsoft 365 unified audit log analyzerdrop m365 unified audit log csv or json export · parse all audit events across exchange sharepoint teams onedrive and azure ad · surface suspicious operations privilege changes and data access events · reconstruct user activity timeline · runs locally
- windows event log gap analyzerdrop multiple evtx · merged timeline · logging gaps · clearing events · ransomware prep chains · service persistence hints · runs locally
- log ingestion gap and silent host detectordrop siem export or event log collector export · identify machines that stopped sending logs · calculate expected vs actual log volume per host · detect hosts that went dark · flag suspicious silences · runs locally
- log file authenticity and integrity scorerdrop any log file · verify internal consistency · line endings · timestamps · detect log injection · fabrication indicators · authenticity score · runs locally
- chain of custody gap detectorpaste custody log csv · time gaps over threshold · missing signatures · export findings csv · runs locally
also useful · secondary tools
supporting and follow-up tools. surface as the investigation widens.
- user behavior baseline profilerdrop months of logon evtx csvs or auth log exports · build statistical baseline per user · active hours · session duration · machine affinity · flag any session that deviates significantly from that user's normal pattern · runs locally
- data access pattern anomaly detectordrop file access logs or security evtx with object access events · compute per-user access baselines · detect bulk access · off-hours access · cross-department access · unusual file type access · statistical outlier sessions · runs locally
- redaction quality verifierdrop pdf or image · text under redact · incomplete black boxes · canvas pixel scan · runs locally
- case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally
run as a stack
skip the click-through. these presets are curated forensic pipelines you can save as a stack with one click and run on your evidence locally.
healthcare breach — scope kit
10 stepsdrop DICOM + M365 audit + log gaps → access anomaly → baseline → custody gaps → redaction check → report
- 01evidence-manifest-generatorhash PHI-bearing exports before any analysis — HIPAA notification scoping
- 02dicom-metadata-forensicsDICOM metadata — patient identifiers + study access trail
- 03office365-audit-log-analyzerEHR-adjacent M365 audit log for mailbox / file access
- 04log-ingestion-gap-detectordetect gaps in log ingestion — actor may have disabled logging
- 05log-authenticity-scorerscore log authenticity — tampered logs invalidate breach scope
- 06data-access-anomaly-detectorflag outlier PHI access patterns
- 07user-behavior-baseline-profilerbaseline normal access patterns for comparison
- 08chain-of-custody-gap-detectorflag chain-of-custody gaps in the evidence set
- 09redaction-quality-verifierverify PHI redactions before sharing breach notification drafts
- 10case-report-generatordraft a HIPAA notification scope report with access anomaly findings