fatcousin
// case comparison

trade secret vs insider threat

legal counsel opens an IP-theft matter when HR already flagged the same employee in insider-threat scoring. trade-secret theft is artifact-preservation on exit — USB attach, LNK paths, print spool; insider threat is sustained access-anomaly over weeks. the preservation order and tool stack diverge on day one.

primary tools · side by side

ordered entry points from the case-type taxonomy. highlighted rows appear in both case types' editorial tool lists.

case a

trade secret / IP theft

exiting employee took the source/customer list/CAD. preserve USB attach times, cloud-sync, print, and email-out evidence.

  1. 01windows lnk deep analyzerdrop Windows .lnk shortcut files · parse full shell link structure · target path · command line · machine GUID · volume serial · timestamps · network share · tracker block · export CSV · runs locally
  2. 02lnk timeline correlatordrop multiple Windows .lnk shortcuts · unified FILETIME timeline · machine GUID · volume serial · dedupe targets · CSV export · runs locally
  3. 03lnk file batch timeline correlatordrop hundreds of lnk shortcut files or lnk csv exports · build single unified recently-accessed timeline · deduplicate · surface deleted source files · correlate access times across all shortcuts · runs locally
  4. 04shellbags analyzerdrop a Windows registry hive · extract shellbag entries · folder browsing history · paths · timestamps · export CSV · runs locally
  5. 05windows jump list parserdrop .automaticDestinations-ms or .customDestinations-ms · parse OLE structure · extract recently accessed files per app · timestamps · AppIDs · export CSV · runs locally
  6. 06jump list cross-application timeline correlatordrop multiple jlecmd csv exports · unified timeline · cross-app document access · network and removable flags · export csv · runs locally
  7. 07print spooler artifact forensic analyzerdrop shd spool files evtx csv registry exports · print job history · printnightmare indicators · export csv · runs locally
  8. 08document hidden print history extractordrop docx xlsx pptx doc xls ppt · hidden print audit trail · printer name · print timestamp · page count · every print job · runs locally
case b

insider threat / data exfiltration

departing employee, IP theft, USB exfil, cloud-share leak. evidence patterns: access-anomaly + peer-comparison + after-hours activity.

  1. 01insider threat behavioral indicator scorerdrop multiple forensic artifact csvs for a specific user · score against published insider threat behavioral indicators · data staging · unusual access · policy violations · communication patterns · produce risk profile · runs locally
  2. 02data access pattern anomaly detectordrop file access logs or security evtx with object access events · compute per-user access baselines · detect bulk access · off-hours access · cross-department access · unusual file type access · statistical outlier sessions · runs locally
  3. 03peer group statistical outlier analyzerdrop artifact sets for multiple users · compute per-user feature vectors · identify statistical outliers · surface the user whose behavior differs most from their peers · peer comparison charts · runs locally
  4. 04time-of-day activity fingerprinterdrop logon evtx csv or activity logs for a user · build 24-hour activity fingerprint · compare two time periods · chi-squared test for pattern change · detect when a different person used the account · account sharing detection · runs locally
  5. 05user behavior baseline profilerdrop months of logon evtx csvs or auth log exports · build statistical baseline per user · active hours · session duration · machine affinity · flag any session that deviates significantly from that user's normal pattern · runs locally
  6. 06copy-paste behavior and data lineage tracerdrop clipboard history exports · lnk file access times · recently opened files csvs · correlate what was copied from where and pasted where · trace data lineage across applications · build evidence of deliberate data extraction · runs locally
  7. 07user workstation affinity mapperdrop months of 4624 logon evtx csv · build statistical profile of which user uses which machine · compute affinity scores · flag when a user logs into an unusual machine · detect account takeover by changed workstation usage · runs locally
  8. 08credential to lateral movement tracerdrop credential dumping evidence csvs · logon event csvs · admin share access · service install events · trace a specific credential from dump through use and propagation across systems · reconstruct the attack chain · runs locally

editorial overlap

4 tools mapped to both case types in the editorial taxonomy — useful when the investigation spans both surfaces.
fatcousin cross export ioc hash correlatorfatcousin multi tool super timeline correlatorwindows lnk deep analyzeruser workstation affinity mapper

lean toward…

disambiguation signals derived from case-type descriptions and common practitioner confusion points.

lean toward trade secret if you see…

  • LNK / jump-list paths to CAD, source repos, or sensitive document shares in a final-week workstation snapshot
  • print spool burst, USB attach events, or shellbag traces on the exit-window endpoint
  • exit-day file access on labeled trade-secret repositories without prior longitudinal UEBA elevation

lean toward insider threat if you see…

  • gradual peer-group outlier score or after-hours workstation affinity over days or weeks before departure
  • cloud-share DLP hits or copy-paste bursts on sensitive repos — not just exit-window LNK or print artifacts
  • longitudinal UEBA elevation without the final-week USB attach, shellbag, or print spool burst pattern
ready