fatcousin
// reference investigation

park-disgruntled-exit — last-day endpoint sabotage

Jordan Park on WS-PARK ran a last-day sabotage chain: mass renames, SDelete/cipher wipes, registry and task/service cleanup, Chrome history gap, and PowerShell Clear-History. Fully synthetic.

what this proves

  • all eight disgruntled-exit primary engines produce deterministic, fixture-locked output — verified by npm run check:flagship (280/280 fleet · 8 for this scenario).
  • every output is generated 100% locally in your browser — export MFT, EVTX, and history CSVs offline, never upload endpoint images.
  • mass .gone rename bursts, SDelete and cipher wipe signatures, registry and task/service deletion bursts, Chrome history gaps, and PowerShell Clear-History surface without sending evidence to a server.

primary engines locked to this fixture

build the case binder

runs all eight primary engines on the synthetic evidence zip and opens a self-contained html binder. uses the default binder renderer for disgruntled exit — no upload.

runs all 8 primary engines locally on the synthetic evidence zip · opens a self-contained html binder · no upload

download the synthetic evidence

MIT-licensed, fully synthetic. includes project directory listing, unallocated slack dump, MFT shred remnants, Security 4688 process timeline, registry and task/service deletion exports, Chrome visit and URL extracts, and sparse PSReadLine plus 4104 script block logs.

download evidence zip →download goldens zip →run this kit in your browser →

built deterministically from scripts/fixtures/build-park-disgruntled-exit.mjs. seed: park-disgruntled-exit:v1.

methodology

sabotage starts visible — mass rename burst anchors the WS-PARK clock, then slack wipe and MFT shred remnants, registry and task/service anti-forensics bursts, and browser plus PowerShell history clears cap the chain. read the full disgruntled employee exit guide →

after the playbook

run each primary locally — or export findings from the binder — then drop every csv/json into fatcousin-multi-tool-super-timeline-correlator. one timestamp-sorted timeline across mass rename burst, slack wipe, MFT shred remnants, and anti-forensics clears — still zero upload.

methodology articleexit triage playbookforensics home

synthetic scenario only · no real employer · no real employee · grading rubric

ready