fatcousin
// case type

trade secret / IP theft

exiting employee took the source/customer list/CAD. preserve USB attach times, cloud-sync, print, and email-out evidence.

tools
14
priority
M
processing
local · in browser

start here · primary tools

ordered. work top-down. the first tool is the suggested entry point for this case type.

  1. windows lnk deep analyzerdrop Windows .lnk shortcut files · parse full shell link structure · target path · command line · machine GUID · volume serial · timestamps · network share · tracker block · export CSV · runs locally
  2. lnk timeline correlatordrop multiple Windows .lnk shortcuts · unified FILETIME timeline · machine GUID · volume serial · dedupe targets · CSV export · runs locally
  3. lnk file batch timeline correlatordrop hundreds of lnk shortcut files or lnk csv exports · build single unified recently-accessed timeline · deduplicate · surface deleted source files · correlate access times across all shortcuts · runs locally
  4. shellbags analyzerdrop a Windows registry hive · extract shellbag entries · folder browsing history · paths · timestamps · export CSV · runs locally
  5. windows jump list parserdrop .automaticDestinations-ms or .customDestinations-ms · parse OLE structure · extract recently accessed files per app · timestamps · AppIDs · export CSV · runs locally
  6. jump list cross-application timeline correlatordrop multiple jlecmd csv exports · unified timeline · cross-app document access · network and removable flags · export csv · runs locally
  7. print spooler artifact forensic analyzerdrop shd spool files evtx csv registry exports · print job history · printnightmare indicators · export csv · runs locally
  8. document hidden print history extractordrop docx xlsx pptx doc xls ppt · hidden print audit trail · printer name · print timestamp · page count · every print job · runs locally

also useful · secondary tools

supporting and follow-up tools. surface as the investigation widens.

  1. browser download history correlatordrop chrome history sqlite and optional mft csv · parse download records · correlate against filesystem evidence · identify downloaded files that were deleted · surface download chain from referrer to file to execution · runs locally
  2. download history analyzerdrop Chrome or Firefox history SQLite · extract downloaded files · source URLs · referrers · timestamps · flag suspicious domains · export CSV · runs locally
  3. user workstation affinity mapperdrop months of 4624 logon evtx csv · build statistical profile of which user uses which machine · compute affinity scores · flag when a user logs into an unusual machine · detect account takeover by changed workstation usage · runs locally
  4. natural language writing sample authorship comparatordrop multiple text files or paste writing samples · compute 40 plus stylometric features · sentence length distribution · vocabulary richness · function word frequencies · punctuation patterns · produce similarity score with confidence intervals between samples · runs locally
  5. git repository forensic analyzerdrop a .git directory or git bundle file · extract full commit history · recover deleted commits via reflog · stash contents · author metadata · file change history · detect secret leaks in history · runs locally
  6. case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally
// case-kit pipeline

run as a stack

skip the click-through. these presets are curated forensic pipelines you can save as a stack with one click and run on your evidence locally.

  • trade secret — exfil kit

    8 steps

    drop LNK / jumplist / shellbag / print spool / download history / git exports → timeline → report

    1. 01evidence-manifest-generatorhash every artifact before timeline reconstruction
    2. 02lnk-batch-timeline-correlatorbatch-correlate LNK shortcuts into a file-access timeline
    3. 03jumplist-deep-correlatordeep jumplist analysis for recently accessed files
    4. 04shellbag-timeline-extendedshellbag folder-access timeline for USB / network paths
    5. 05print-spool-forensicsprint spool artifacts — exfil via printed documents
    6. 06browser-download-history-correlatorcorrelate browser downloads with file-access artifacts
    7. 07git-repository-forensicsgit history analysis if source code exfil is suspected
    8. 08case-report-generatordraft a report linking artifact timelines to the exfil hypothesis
// pattern-matched

related tools

tools that the manifest-classifier flagged as plausibly useful here but that aren't in the hand-curated lists above. less editorial weight — scan, don't work top-down.

+ 98 more in this pattern match. browse the full forensics catalog via the forensics category.

ready