fatcousin
// case comparison

insider threat vs exit triage

both involve a departing employee — but insider threat is sustained access-anomaly and exfiltration; disgruntled exit is last-day endpoint sabotage and deletion bursts.

primary tools · side by side

ordered entry points from the case-type taxonomy. highlighted rows appear in both case types' editorial tool lists.

case a

insider threat / data exfiltration

departing employee, IP theft, USB exfil, cloud-share leak. evidence patterns: access-anomaly + peer-comparison + after-hours activity.

  1. 01insider threat behavioral indicator scorerdrop multiple forensic artifact csvs for a specific user · score against published insider threat behavioral indicators · data staging · unusual access · policy violations · communication patterns · produce risk profile · runs locally
  2. 02data access pattern anomaly detectordrop file access logs or security evtx with object access events · compute per-user access baselines · detect bulk access · off-hours access · cross-department access · unusual file type access · statistical outlier sessions · runs locally
  3. 03peer group statistical outlier analyzerdrop artifact sets for multiple users · compute per-user feature vectors · identify statistical outliers · surface the user whose behavior differs most from their peers · peer comparison charts · runs locally
  4. 04time-of-day activity fingerprinterdrop logon evtx csv or activity logs for a user · build 24-hour activity fingerprint · compare two time periods · chi-squared test for pattern change · detect when a different person used the account · account sharing detection · runs locally
  5. 05user behavior baseline profilerdrop months of logon evtx csvs or auth log exports · build statistical baseline per user · active hours · session duration · machine affinity · flag any session that deviates significantly from that user's normal pattern · runs locally
  6. 06copy-paste behavior and data lineage tracerdrop clipboard history exports · lnk file access times · recently opened files csvs · correlate what was copied from where and pasted where · trace data lineage across applications · build evidence of deliberate data extraction · runs locally
  7. 07user workstation affinity mapperdrop months of 4624 logon evtx csv · build statistical profile of which user uses which machine · compute affinity scores · flag when a user logs into an unusual machine · detect account takeover by changed workstation usage · runs locally
  8. 08credential to lateral movement tracerdrop credential dumping evidence csvs · logon event csvs · admin share access · service install events · trace a specific credential from dump through use and propagation across systems · reconstruct the attack chain · runs locally
case b

disgruntled employee exit

last-day endpoint snapshot: deletions, USB attach, cloud sync bursts, sabotage indicators (scheduled tasks, hidden accounts).

  1. 01mass rename detectordrop a file listing or dir output · detect bulk renames within short time windows · flag ransomware extension patterns · visualize rename timeline · export CSV · runs locally
  2. 02secure deletion detectordrop disk image · wipe patterns · zero ff aa55 fills · high entropy · sdelete eraser hints · heat map · chunked worker scan · runs locally
  3. 03file shredder remnant and signature scannerdrop mft csv usn journal csv or file listing · detect execution artifacts of file shredding tools · identify sdelete eraser bleachbit cipher patterns · surface files that were securely deleted · runs locally
  4. 04registry key deletion burst detectordrop registry transaction log or security evtx csv · detect rapid bulk registry key deletion · identify scripted registry cleanup operations · surface anti-forensic registry wiping patterns · runs locally
  5. 05scheduled task deletion and history clearing detectordrop security system and task scheduler evtx csvs · detect scheduled task deletion · identify task history clearing · surface task creation followed by deletion indicating attacker cleanup · runs locally
  6. 06service deletion burst detectordrop system evtx csv · detect rapid service deletion patterns · identify attacker persistence mechanism removal · surface service install-then-delete lifecycle indicating attack tool cleanup · runs locally
  7. 07browser history clearing pattern detectordrop chrome firefox or edge sqlite history db csv · detect history clearing events · identify gaps in browsing timeline · surface clearing timestamps and what was removed · runs locally
  8. 08PowerShell history clearing detectordrop powershell operational evtx csv or psreadline history file · detect cleared powershell command history · identify gaps in command execution record · surface anti-forensic powershell history manipulation · runs locally

editorial overlap

5 tools mapped to both case types in the editorial taxonomy — useful when the investigation spans both surfaces.
endpoint dlp usb exfil block log analyzerfatcousin cross export ioc hash correlatorfatcousin multi tool super timeline correlatorwindows lnk deep analyzeruser workstation affinity mapper

lean toward…

disambiguation signals derived from case-type descriptions and common practitioner confusion points.

lean toward insider threat if you see…

  • gradual data-access spike or peer-group outlier over days or weeks before departure
  • cloud-share or USB exfil patterns flagged by DLP — not just last-day wipe artifacts
  • after-hours browsing or copy-paste bursts on sensitive repositories

lean toward exit triage if you see…

  • mass rename, secure deletion, or registry-key deletion burst on final workday
  • scheduled-task or service deletion logged hours before badge deactivation
  • browser or PowerShell history clearing — endpoint sabotage, not long-run exfil scoring
ready