fatcousin
// case type

insider threat / data exfiltration

departing employee, IP theft, USB exfil, cloud-share leak. evidence patterns: access-anomaly + peer-comparison + after-hours activity.

tools
15
priority
H
processing
local · in browser

start here · primary tools

ordered. work top-down. the first tool is the suggested entry point for this case type.

  1. insider threat behavioral indicator scorerdrop multiple forensic artifact csvs for a specific user · score against published insider threat behavioral indicators · data staging · unusual access · policy violations · communication patterns · produce risk profile · runs locally
  2. data access pattern anomaly detectordrop file access logs or security evtx with object access events · compute per-user access baselines · detect bulk access · off-hours access · cross-department access · unusual file type access · statistical outlier sessions · runs locally
  3. peer group statistical outlier analyzerdrop artifact sets for multiple users · compute per-user feature vectors · identify statistical outliers · surface the user whose behavior differs most from their peers · peer comparison charts · runs locally
  4. time-of-day activity fingerprinterdrop logon evtx csv or activity logs for a user · build 24-hour activity fingerprint · compare two time periods · chi-squared test for pattern change · detect when a different person used the account · account sharing detection · runs locally
  5. user behavior baseline profilerdrop months of logon evtx csvs or auth log exports · build statistical baseline per user · active hours · session duration · machine affinity · flag any session that deviates significantly from that user's normal pattern · runs locally
  6. copy-paste behavior and data lineage tracerdrop clipboard history exports · lnk file access times · recently opened files csvs · correlate what was copied from where and pasted where · trace data lineage across applications · build evidence of deliberate data extraction · runs locally
  7. user workstation affinity mapperdrop months of 4624 logon evtx csv · build statistical profile of which user uses which machine · compute affinity scores · flag when a user logs into an unusual machine · detect account takeover by changed workstation usage · runs locally
  8. credential to lateral movement tracerdrop credential dumping evidence csvs · logon event csvs · admin share access · service install events · trace a specific credential from dump through use and propagation across systems · reconstruct the attack chain · runs locally

also useful · secondary tools

supporting and follow-up tools. surface as the investigation widens.

  1. natural language writing sample authorship comparatordrop multiple text files or paste writing samples · compute 40 plus stylometric features · sentence length distribution · vocabulary richness · function word frequencies · punctuation patterns · produce similarity score with confidence intervals between samples · runs locally
  2. lnk file parserdrop a Windows .lnk shortcut · target path · timestamps · machine ID · volume serial · network share info · runs locally
  3. windows lnk deep analyzerdrop Windows .lnk shortcut files · parse full shell link structure · target path · command line · machine GUID · volume serial · timestamps · network share · tracker block · export CSV · runs locally
  4. shellbags analyzerdrop a Windows registry hive · extract shellbag entries · folder browsing history · paths · timestamps · export CSV · runs locally
  5. windows jump list parserdrop .automaticDestinations-ms or .customDestinations-ms · parse OLE structure · extract recently accessed files per app · timestamps · AppIDs · export CSV · runs locally
  6. recentdocs mru deep analyzerdrop ntuser.dat reg export · parse recentdocs mru · office file mru · sensitive file type flags · export csv · runs locally
  7. case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally
// case-kit pipeline

run as a stack

skip the click-through. these presets are curated forensic pipelines you can save as a stack with one click and run on your evidence locally.

  • insider threat — behavior kit

    8 steps

    drop access logs + workstation exports → insider score → anomaly detect → peer compare → baseline → authorship → LNK timeline → report

    1. 01evidence-manifest-generatorhash every export before scoring — HR/legal cases require reproducible inputs
    2. 02insider-threat-indicator-scorercomposite insider-risk score from access + activity signals
    3. 03data-access-anomaly-detectorflag outlier access patterns vs the user's historical baseline
    4. 04peer-group-comparison-analyzercompare the subject's activity to peers in the same role
    5. 05user-behavior-baseline-profilerbuild a behavioral baseline from the provided log exports
    6. 06writing-sample-authorship-comparatorcompare writing style across messages if authorship is disputed
    7. 07lnk-batch-timeline-correlatorreconstruct file-access timeline from LNK / shortcut artifacts
    8. 08case-report-generatordraft an HR/legal-ready report on access anomalies + exfil indicators
// pattern-matched

related tools

tools that the manifest-classifier flagged as plausibly useful here but that aren't in the hand-curated lists above. less editorial weight — scan, don't work top-down.

+ 353 more in this pattern match. browse the full forensics catalog via the forensics category.

ready