fatcousin
// reference investigation

kline-insider-exfil — departing engineer IP theft

Kline Robotics engineer jchen staged IP exfiltration in his final three weeks — USB copies, cross-department file access, copy-paste to personal email, and credential reuse onto admin file shares. Fully synthetic.

what this proves

  • all eight insider-threat primary engines produce deterministic, fixture-locked output — verified by npm run check:flagship (280/280 fleet · 8 for this scenario).
  • every output is generated 100% locally in your browser — export audit logs, never upload HR data.
  • peer outliers, departure-window file access spikes, USB and cloud exfil paths, copy-paste chains, and lateral credential reuse surface without sending evidence to a server.

primary engines locked to this fixture

build the case binder

runs all eight primary engines on the synthetic evidence zip and opens a self-contained html binder. uses the default binder renderer for insider-threat — no upload.

runs all 8 primary engines locally on the synthetic evidence zip · opens a self-contained html binder · no upload

download the synthetic evidence

MIT-licensed, fully synthetic. includes activity audit csv, 4663 file access export, peer activity baselines, logon timeline and session evtx, clipboard/DLP copy events, and credential harvest plus lateral logon chain.

download evidence zip →download goldens zip →run this kit in your browser →

built deterministically from scripts/fixtures/build-kline-insider-exfil.mjs. seed: kline-insider-exfil:v1.

methodology

insider threat is rarely a single stolen file — it is a departure-window pattern. score composite risk first, then walk data access anomaly → peer comparison → time-of-day fingerprint → behavior baseline → copy-paste forensics → workstation affinity → credential lateral movement. jchen looked normal in isolation but was a 4x outlier vs firmware peers. read the full insider threat / data exfiltration guide →

after the playbook

run each primary locally — or export findings from the binder — then drop every csv/json into fatcousin-multi-tool-super-timeline-correlator. one timestamp-sorted timeline across departure-window access spikes, copy-paste exfil, and credential lateral movement — still zero upload.

methodology articleinsider threat playbookforensics home

synthetic scenario only · no real employee · no real IP · grading rubric

ready