disgruntled employee exit — methodology

preserve before you analyze

HR will want the laptop back for the next hire. legal will want proof before a for-cause termination letter goes out. those clocks conflict. default rule: no reimage, no “quick fix” rename rollback, no browser profile reset until a forensic image or targeted collection completes. if the employee is still on site, escort them away from the desk without shutting the lid—sleep preserves some volatile state; hibernate and fast startup can complicate boot-time artifacts. document who touched the machine after the exit interview started. a well-meaning helpdesk tech running Disk Cleanup destroys the same slack regions you need for secure-deletion-detector.

what evidence exists and how fast it dies

the first 10 minutes

1. isolate WS-PARK from the network but do not power off—volatile state matters if the session is still active.
2. record exact UTC time of last badge swipe, HR offboarding trigger, and any helpdesk ticket mentioning “slow laptop” or “missing files.”
3. disable automatic reimage workflows in MDM/Intune until forensic copy completes—HR urgency is the #1 evidence killer.
4. image the system drive or capture MFT, USN journal, and unallocated slack before anyone “fixes” the rename mess.
5. export Security.evtx and System.evtx read-only; note any 1102 “audit log cleared” events inside the departure window.
6. pull Task Scheduler operational logs and list scheduled tasks still present versus deleted stubs in registry.
7. copy Chrome / Edge profile History, Visits exports, and PSReadLine ConsoleHost_history.txt without opening the browser on the live profile.
8. hash and preserve any sdelete64.exe, cipher.exe, or third-party shredder binaries in Downloads or Temp.
9. snapshot the project directory listing showing mass .gone or similar extension swaps—HR often photographs this before IT arrives.
10. quantify business impact early: count of renamed paths, directories affected, and whether source control or network shares hold clean copies—counsel needs damage scope even when carving fails.
11. notify employment counsel that the endpoint is frozen—do not let managers browse the live disk; their activity writes NTFS timestamps you will have to explain later.
12. begin the path below on a forensic copy, not the live box HR wants back on the desk Monday.

the path

1. 1. mass rename detector

   directory listing or MFT-derived rename export. flags bulk extension swaps and filename churn inside tight windows—e.g. twenty-five project deliverables renamed to `.gone` in twenty-five seconds on WS-PARK. exports a rename timeline CSV for HR damage assessment and legal exhibits.why first: sabotage often starts as visible damage before secure wipe tools run. rename bursts anchor the clock and separate petulant vandalism from ransomware or malware noise. if you only image the disk after IT “fixes” extensions, this step still proves the burst happened.

2. 2. secure deletion detector

   unallocated slack dump or disk image slice. surfaces zero-fill regions, high-entropy wipe patterns, and SDelete / cipher-style overwrite signatures in slack space—the park bundle includes an 8 KiB zero-fill region tied to Documents wiping.why second: once renames are mapped, you need proof the actor tried to make files unrecoverable—not just rename them. slack analysis survives when the live file tree looks merely “messy” and when recycle bin was emptied.

3. 3. file shredder remnant scanner

   MFT CSV, USN journal export, or Security 4688 process timeline. ties SDelete `A+.AAA` rename remnants, BleachBit-class patterns, and cipher.exe passes to specific paths and execution minutes.why third: connects the shredding tool to filenames HR still recognizes. without MFT remnants, “we ran SDelete” is accusation; with them it is artifact-backed.

4. 4. registry key deletion burst detector

   Security.evtx CSV or registry transaction log extract. highlights rapid bulk 4660 deletions—UserAssist, Run keys, MRU lists—clustered in seconds instead of organic profile cleanup.why fourth: disgruntled exits often scrub “what I clicked” before IT collects the box. burst shape distinguishes scripted anti-forensics from normal uninstall churn.

5. 5. scheduled task deletion detector

   Security / System / Task Scheduler EVTX CSV. pairs 4698 creation with 4699 deletion, batch task removals, and 1102 log clears that erase the scheduler audit trail.why fifth: tasks are both persistence and evidence. a departing insider may delete backup or sync jobs they created—or wipe the task log to hide what ran during the final hour.

6. 6. service deletion burst detector

   System.evtx service lifecycle export. flags five-or-more service key deletions inside forty seconds—often attacker-tool cleanup or deliberate disablement of monitoring agents.why sixth: service bursts show intent to break continuity, not accidental uninstall. stack them against the rename and SDelete window for one sabotage narrative.

7. 7. browser history clearing pattern detector

   Chrome / Edge visits CSV or SQLite history export. finds multi-day gaps, orphaned URL rows with zero last-visit time, and selective clearing that leaves skeleton history behind.why seventh: insiders research exfil paths, personal cloud uploads, and “how to securely delete files” in the browser. gaps plus orphans are harder to fake than deleted files.

8. 8. powershell history clearing detector

   4104 script block log CSV and sparse PSReadLine `ConsoleHost_history.txt`. detects `Clear-History`, transcript gaps, and history file deletion after destructive commands ran.why last: PowerShell is where rename loops, SDelete invocations, and registry cleanup scripts live. history clearing is the capstone—proof the actor knew the commands were incriminating.

common false leads

• “it was ransomware.” mass renames to a single odd extension without encryption notes, C2, or shadow-copy delete chains point to insider vandalism—especially on one user workstation the day notice expires.
• “IT reimaged it during offboarding.” standard imaging does not produce twenty-five renames in twenty-five seconds, SDelete MFT remnants, and paired registry deletion bursts. ask for the imaging ticket timestamp.
• “empty browser history means nothing to see.” selective clearing leaves orphaned URL rows and multi-day gaps—often worse than a full wipe because it proves intent to hide research, not privacy hygiene.
• “SDelete was already on the machine for IT.” presence of the binary is not execution. anchor 4688 process creation, MFT shred remnants, and slack wipe signatures to the same minute as the rename burst.
• “they had legitimate admin rights.” authorized access does not authorize sabotage. HR timeline plus anti-forensics bursts build the HR/legal story even when the account was not “hacked.”
• “USB block means they stole everything.” DLP blocks prove attempt and device class, not successful exfil volume. pair with cloud sync logs and peer comparison if theft is alleged alongside sabotage.

what we can tell you, what we can't

we can tell you:

• mass rename burst timing and extension patterns from directory listings or MFT rename columns
• secure-deletion and slack wipe signatures consistent with SDelete, cipher, or similar tools
• MFT / USN shred remnants linking specific paths to shredding tool behavior
• registry key deletion bursts (4660 clusters) inconsistent with normal profile maintenance
• scheduled task creation-deletion pairs and Security log clears in the sabotage window
• service deletion bursts from System.evtx exports
• browser history gaps, orphaned URLs, and clearing timestamps from Chrome / Edge extracts
• PowerShell Clear-History and sparse PSReadLine patterns from 4104 and history files

we can't tell you:

• recover securely wiped file content from slack alone. carving may be partial; set expectations with counsel.
• prove motive (“they were angry at management”). artifacts show actions; HR interviews show why.
• replace a forensic disk image or chain-of-custody sign-off. we analyze copies you already collected.
• determine employment outcomes. that is HR and legal, not browser tooling.
• distinguish this case from generic insider threat exfil. disgruntled-exit centers on endpoint destruction and anti-forensics on the last day—not months of slow DLP drift. if your org runs both playbooks, label the session correctly so peer-baseline tools are not misapplied as false negatives.

handing it off

• HR and employment counsel: UTC sabotage window, rename manifest, process execution for SDelete/cipher, anti-forensics burst summary, and preserved disk image hash. they need timeline before termination-for-cause letters go out.
• outside forensic firm: full disk image, EVTX exports, MFT/USN CSVs, browser and PSReadLine copies, and your path outputs as CSV/json attachments. ask them to validate slack carve scope.
• law enforcement (if criminal referral): intentional damage statutes vary by jurisdiction. package process execution, quantified file impact, and evidence of log clearing—not just “employee was upset.”
• insurer / cyber carrier: if policy covers insider sabotage, they want proof the actor was authenticated, timestamps, and whether backups cover renamed paths—not ransomware extortion artifacts.
• IT operations: list of deleted scheduled tasks and services to rebuild after investigation closes—restore from backup configs, not from the subject’s profile.

further reading

• CISA — insider threat mitigation resources
• NIST SP 800-61 Rev. 2 — computer security incident handling guide
• MITRE ATT&CK — indicator removal on host
• MITRE ATT&CK — data destruction
• Microsoft — Security auditing event 4660 (object deleted)

reference investigation