fatcousin
// reference investigation

hughes-trade-secret-theft — USB/CAD exfil before competitor exit

Hughes Biotech HBT-TS-2026-0552 on R. Navarro (E-55201) copying customer-list.xlsx + HughesCAD core.dll to E: and personal cloud · shellbags/jump lists · LNK deleted-target correlation · confidential print job. Fully synthetic.

what this proves

  • all eight trade-secret-theft primary engines produce deterministic, fixture-locked output — verified by npm run check:flagship (280/280 fleet · 8 for this scenario).
  • every output is generated 100% locally in your browser — image the workstation, never upload HR data.
  • usb/cad exfil paths, lnk deleted-target gaps on E:, shellbags and jump list corroboration, and confidential print jobs surface without sending evidence to a server.

primary engines locked to this fixture

build the case binder

runs all eight primary engines on the synthetic evidence zip and opens a self-contained html binder. uses the default binder renderer for trade-secret-theft — no upload.

runs all 8 primary engines locally on the synthetic evidence zip · opens a self-contained html binder · no upload

download the synthetic evidence

MIT-licensed, fully synthetic. includes usb and repo lnk shortcuts, lecmd batch export, partial mft with deleted usb targets, usrclass shellbags, explorer jump lists, print spool shd, print service evtx, and printed docx with embedded printer metadata.

download evidence zip →download goldens zip →run this kit in your browser →

built deterministically from scripts/fixtures/build-hughes-trade-secret-theft.mjs. seed: hughes-trade-secret-theft:v1.

methodology

trade secret theft is sequence — repo access, then usb staging, then cloud archive. walk lnk deep analyzer → lnk timeline correlator → lnk batch timeline correlator → shellbags analyzer → jump list parser → jumplist deep correlator → print spool forensics → document print history extractor. R. Navarro copied customer-list.xlsx and HughesCAD core.dll to E: before the competitor exit — lnk targets survive after the usb copy is deleted. read the full trade secret / IP theft guide →

after the playbook

run each primary locally — or export findings from the binder — then drop every csv/json into fatcousin-multi-tool-super-timeline-correlator. one timestamp-sorted timeline across lnk usb staging, shellbags/jump list corroboration, and confidential print job — still zero upload.

methodology articletrade secret playbookforensics home

synthetic scenario only · no real employee · no real IP · grading rubric

ready