fatcousin
// case comparison

healthcare vs insider threat

healthcare org sees audit gaps and mass record access. case A is healthcare-breach: PHI exfil, DICOM/PACS export spike, and HIPAA notification scoping. case B is insider-threat: sustained human access-anomaly, peer-group outlier, and DLP on workstations or cloud shares. wrong call sends you to dicom-metadata-forensics when you need insider-threat-indicator-scorer — or declares external breach while UEBA shows only one employee's longitudinal spike.

primary tools · side by side

ordered entry points from the case-type taxonomy. highlighted rows appear in both case types' editorial tool lists.

case a

healthcare data breach

PHI exposure, EHR audit gap, DICOM exfil, HIPAA notification scoping. very specific evidence demands.

  1. 01dicom medical imaging metadata forensic analyzerdrop dicom files · parse metadata tags · extract patient equipment data · detect anonymization failures · runs locally
  2. 02microsoft access database forensic analyzerdrop mdb or accdb files · parse jet database structure · extract tables · recover deleted records · vba macro scan · runs locally
  3. 03office365 audit log analyzerdrop m365 unified audit log json or csv · flag inbox forward rules · mailbox forwarding · bulk downloads · global admin role adds · high-scope consent · audit log disabled · runs locally
  4. 04microsoft 365 unified audit log analyzerdrop m365 unified audit log csv or json export · parse all audit events across exchange sharepoint teams onedrive and azure ad · surface suspicious operations privilege changes and data access events · reconstruct user activity timeline · runs locally
  5. 05windows event log gap analyzerdrop multiple evtx · merged timeline · logging gaps · clearing events · ransomware prep chains · service persistence hints · runs locally
  6. 06log ingestion gap and silent host detectordrop siem export or event log collector export · identify machines that stopped sending logs · calculate expected vs actual log volume per host · detect hosts that went dark · flag suspicious silences · runs locally
  7. 07log file authenticity and integrity scorerdrop any log file · verify internal consistency · line endings · timestamps · detect log injection · fabrication indicators · authenticity score · runs locally
  8. 08chain of custody gap detectorpaste custody log csv · time gaps over threshold · missing signatures · export findings csv · runs locally
case b

insider threat / data exfiltration

departing employee, IP theft, USB exfil, cloud-share leak. evidence patterns: access-anomaly + peer-comparison + after-hours activity.

  1. 01insider threat behavioral indicator scorerdrop multiple forensic artifact csvs for a specific user · score against published insider threat behavioral indicators · data staging · unusual access · policy violations · communication patterns · produce risk profile · runs locally
  2. 02data access pattern anomaly detectordrop file access logs or security evtx with object access events · compute per-user access baselines · detect bulk access · off-hours access · cross-department access · unusual file type access · statistical outlier sessions · runs locally
  3. 03peer group statistical outlier analyzerdrop artifact sets for multiple users · compute per-user feature vectors · identify statistical outliers · surface the user whose behavior differs most from their peers · peer comparison charts · runs locally
  4. 04time-of-day activity fingerprinterdrop logon evtx csv or activity logs for a user · build 24-hour activity fingerprint · compare two time periods · chi-squared test for pattern change · detect when a different person used the account · account sharing detection · runs locally
  5. 05user behavior baseline profilerdrop months of logon evtx csvs or auth log exports · build statistical baseline per user · active hours · session duration · machine affinity · flag any session that deviates significantly from that user's normal pattern · runs locally
  6. 06copy-paste behavior and data lineage tracerdrop clipboard history exports · lnk file access times · recently opened files csvs · correlate what was copied from where and pasted where · trace data lineage across applications · build evidence of deliberate data extraction · runs locally
  7. 07user workstation affinity mapperdrop months of 4624 logon evtx csv · build statistical profile of which user uses which machine · compute affinity scores · flag when a user logs into an unusual machine · detect account takeover by changed workstation usage · runs locally
  8. 08credential to lateral movement tracerdrop credential dumping evidence csvs · logon event csvs · admin share access · service install events · trace a specific credential from dump through use and propagation across systems · reconstruct the attack chain · runs locally

editorial overlap

4 tools mapped to both case types in the editorial taxonomy — useful when the investigation spans both surfaces.
data access pattern anomaly detectorfatcousin cross export ioc hash correlatorfatcousin multi tool super timeline correlatoruser behavior baseline profiler

lean toward…

disambiguation signals derived from case-type descriptions and common practitioner confusion points.

lean toward healthcare if you see…

  • DICOM metadata, MRN/PHI tags, or PACS export audit trail with tenant-scoped imaging volume spike
  • EHR mass chart access pattern aimed at PHI notification — not only one user's workstation affinity
  • HIPAA scoping artifacts (imaging export, registry DB) without months-long peer outlier on non-clinical repo

lean toward insider threat if you see…

  • gradual peer-group outlier or after-hours workstation affinity on one identity over weeks
  • USB exfil, copy-paste bursts, or cloud-share DLP hits on sensitive repos — not PACS bulk export alone
  • insider-threat-indicator-scorer elevation without DICOM/PACS exfil volume characteristic of breach scoping
ready