disgruntled employee exit — quick-start

checklist

1. do not accept the returned laptop until forensic imaging is complete — returning it before imaging destroys recovery options.
2. suspend but do not delete the departing employee's accounts — revoke access, preserve audit history.
3. pull DLP alerts for the last 30 days of employment — elevated exfiltration risk in the notice period.
4. export USB attach/detach events from Windows Event Log (System 2003/2004) for the employee's endpoint.
5. export cloud sync client logs (Dropbox, Box, OneDrive) for the employee's account — upload volume in final days is a key signal.
6. pull file access audit logs from file server and SharePoint for the last 30 days of employment.
7. check for deliberate file deletion events — large-scale deletion in final days is a separate forensic track from exfiltration.
8. pull IT ticketing records for the offboarding — note any access extension requests, key returns, and system access revocations.
9. check for new personal GitHub, GitLab, or cloud storage accounts accessed from the corporate endpoint in the final weeks.
10. begin the primary tool path below — disgruntled exit correlator and file deletion artifact analyzer.

primary tools

1. 01mass rename detectordrop a file listing or dir output · detect bulk renames within short time windows · flag ransomware extension patterns · visualize rename timeline · export CSV · runs locally
2. 02secure deletion detectordrop disk image · wipe patterns · zero ff aa55 fills · high entropy · sdelete eraser hints · heat map · chunked worker scan · runs locally
3. 03file shredder remnant and signature scannerdrop mft csv usn journal csv or file listing · detect execution artifacts of file shredding tools · identify sdelete eraser bleachbit cipher patterns · surface files that were securely deleted · runs locally
4. 04registry key deletion burst detectordrop registry transaction log or security evtx csv · detect rapid bulk registry key deletion · identify scripted registry cleanup operations · surface anti-forensic registry wiping patterns · runs locally
5. 05scheduled task deletion and history clearing detectordrop security system and task scheduler evtx csvs · detect scheduled task deletion · identify task history clearing · surface task creation followed by deletion indicating attacker cleanup · runs locally
6. 06service deletion burst detectordrop system evtx csv · detect rapid service deletion patterns · identify attacker persistence mechanism removal · surface service install-then-delete lifecycle indicating attack tool cleanup · runs locally
7. 07browser history clearing pattern detectordrop chrome firefox or edge sqlite history db csv · detect history clearing events · identify gaps in browsing timeline · surface clearing timestamps and what was removed · runs locally
8. 08PowerShell history clearing detectordrop powershell operational evtx csv or psreadline history file · detect cleared powershell command history · identify gaps in command execution record · surface anti-forensic powershell history manipulation · runs locally

go deeper