fatcousin
// investigation guide

trade secret / IP theft — methodology

trade secret theft is not a malware incident. it is a departing employee copying customer lists, cad source, and proprietary archives to removable media, personal cloud folders, and the printer queue in the days before a competitor exit. evidence lives in lnk files, shellbags, jump lists, partial mft rows, and spool metadata — artifacts that outlast the usb stick and the deleted zip. your job is to reconstruct the staging sequence, prove the subject touched the sensitive paths, and preserve what counsel needs before hr reimages the workstation.

what evidence exists and how fast it dies

artifactvolatilitytime to loss
lnk shortcuts (recent / desktop)persistent on profileminutes if hr triggers profile wipe or reimage after badge return
shellbags (usrclass.dat)persistent on profilelost on profile delete or fresh user hive restore
jump lists (automaticdestinations-ms)persistent on profilecleared by “recent items” cleanup or profile reset
partial mft / usn (usb target rows)persistent until overwritehours if full-disk wipe or ssd trim after usb removal
print spool shd / spl headerspersistent until purgedays — spooler retention and “clear print queue” policies vary
print service evtx (307/800 events)persistent (rolling)30–90 days typical; shorter if log cleared
office doc embedded print metadatapersistent on filedestroyed if source doc deleted before collection
dlp / cloud sync audit logspersistent in siemdays to months per retention — not always on the endpoint image

the first 10 minutes

  1. freeze the workstation — disable reimage workflows in mdm until forensic copy completes.
  2. record resignation date, last badge swipe, and any hr ticket mentioning “laptop return” or “account disable.”
  3. image the system drive or capture ntuser.dat, usrclass.dat, recent lnk folder, and jump list directory without opening files on the live profile.
  4. export print spool directory (system32\\spool\\print\\*) and application/system evtx read-only.
  5. pull dlp usb block logs and cloud sync audit for the subject’s final 14 days — even if the endpoint image is all you have locally.
  6. hash and preserve any removable-media lnk pointing at e: or other non-system volumes.
  7. identify sensitive paths from data classification tags — customer lists, cad repos, formula archives.
  8. notify employment counsel before managers browse the live disk — their activity writes timestamps.
  9. document whether the usb device was recovered or only inferred from lnk/shellbag paths.
  10. begin the path below on a forensic copy, not the live box hr wants back on the desk monday.

the path

  1. 1. lnk deep analyzer

    shortcut files from Recent or Desktop. surfaces target paths, volume serials, MAC times, and file sizes — e.g. E:\TradeSecrets\customer-list.xlsx, HughesCAD\core.dll, and a Dropbox export archive.why first: lnk files survive after the usb is removed and the live file tree is cleaned. they tell you what was opened and copied before mft rows disappear.

  2. 2. lnk timeline correlator

    same lnk set as step one. orders create, access, and modify events into a single utc timeline across all shortcuts in the departure window.why second: trade secret theft is sequence — repo access, then usb staging, then cloud archive. one timeline beats three isolated lnk reports.

  3. 3. lnk batch timeline correlator

    lec-style lnk csv export plus partial mft targets. merges batch lnk metadata with mft rows and flags deleted-evidence gaps when usb targets vanish from the live file system.why third: insiders delete the usb copy after staging. batch mode catches the gap between lnk target and missing mft entry.

  4. 4. shellbags analyzer

    usrclass.dat shellbags fragment. recovers folder browse history for removable paths the user opened in explorer — even when e: is no longer attached.why fourth: shellbags prove the subject navigated to trade secret directories, not just that a shortcut existed on disk.

  5. 5. jump list parser

    automaticdestinations-ms from explorer. lists recent file paths and access order — usb spreadsheet, cad source, personal cloud zip.why fifth: jump lists corroborate lnk targets with application-level recent-file history independent of shortcut metadata.

  6. 6. jumplist deep correlator

    jlecmd-style jump list csv. ranks interaction counts, last-used timestamps, and cloud-path flags across excel, word, and explorer entries.why sixth: high-interaction cloud archive entries in the final hour separate casual sync from deliberate exfil packaging.

  7. 7. print spool forensics

    spool shd header plus print service evtx csv. surfaces confidential document names, page counts, printer unc paths, and submission times on the secure print queue.why seventh: departing employees print what they cannot email. spool metadata survives when the source docx is deleted.

  8. 8. document print history extractor

    printed docx or office file with embedded printer metadata. extracts last-printed device, page count, and paper settings from the document itself.why last: ties the physical print job back to a file artifact counsel can enter into discovery — not just a spool stub.

common false leads

  • “no usb in dlp logs means no theft.” dlp blocks prove attempt; lnk and shellbag paths prove the subject opened trade secret directories on removable volumes.
  • “they had legitimate access.” authorized access does not authorize copying to personal cloud or competitor staging paths.
  • “the file is gone so we cannot prove it.” lnk targets, shellbags, and jump lists survive after the live copy is deleted — especially when mft shows a deleted-evidence gap.
  • “printing is normal work.” confidential print job names on the secure queue in the departure window are exfil vectors, not routine output.
  • “one shortcut is enough.” trade secret cases need correlated timeline — repo access, usb staging, cloud archive, and print within hours, not isolated artifacts.

what we can tell you, what we can't

we can tell you:

  • lnk target paths, mac times, and volume serials for staged trade secret files
  • unified lnk timeline across multiple shortcuts in the departure window
  • deleted-evidence flags when lnk targets are absent from partial mft exports
  • shellbag and jump list paths corroborating explorer and application access
  • jump list interaction counts and cloud-path flags on archive files
  • print spool job names, page counts, and printer unc paths from shd and evtx
  • embedded print metadata from office documents that were physically printed

we can't tell you:

  • recover file content from deleted usb copies — we analyze metadata and path artifacts, not full carving
  • prove the competitor received the files without their cloud audit or your dlp exports
  • determine trade secret status under law — that is counsel and classification review
  • replace a forensic disk image or chain-of-custody sign-off
  • attribute motive. artifacts show actions; hr interviews show why

handing it off

  • employment counsel: lnk timeline, shellbag/jump list path manifest, print job summary, deleted-evidence flags, and preserved disk image hash.
  • outside forensic firm: full disk image, ntuser/usrclass hives, spool exports, evtx copies, and path outputs as csv/json attachments.
  • law enforcement / civil discovery: representative lnk set, printed docx with embedded metadata, and quantified sensitive path access — not just “employee was leaving.”

further reading

reference investigation

synthetic fixture hughes-trade-secret-theft — Hughes Biotech case HBT-TS-2026-0552 on R. Navarro (E-55201) copying customer list + CAD source to removable E: and personal Dropbox before competitor exit. lnk timeline, shellbags, jump lists, confidential print jobs, and deleted usb mft gap. seed hughes-trade-secret-theft:v1. compare output via npm run check:flagship.

fixture download: evidence zip · proof page: /forensics/proof/hughes-trade-secret-theft · case playbook: case type tools

run the trade secret kit →forensics home
ready