// first 10 minutes
trade secret / IP theft — quick-start
trade secret theft — first 10 minutes. preserve before the endpoint is wiped. print this, check boxes, then run the primary tools.
checklist
- do not reimage or wipe the departing employee's endpoint until forensic imaging is complete.
- suspend but do not delete the employee's accounts — SSO, email, GitHub, cloud storage, VPN.
- pull DLP alerts and audit logs for the user for the 90 days before departure — file copy, download, sync events.
- export email send logs for large attachments or personal-address forwards in the departure window.
- pull USB attach/detach events from Windows Event Log (System.evtx events 2003/2004) on the endpoint.
- export cloud storage sync client logs — Dropbox, Box, OneDrive, Google Drive transfer histories.
- identify all personal cloud and github accounts the employee had access to from corporate device — browser history artifacts.
- preserve HR off-boarding documentation and any nondisclosure, non-compete, or IP assignment agreements.
- note the scope of the alleged theft: file count, project names, customer lists, source code repos.
- begin the primary tool path below — DLP correlation engine and USB artifact analyzer.
primary tools
- 01windows lnk deep analyzerdrop Windows .lnk shortcut files · parse full shell link structure · target path · command line · machine GUID · volume serial · timestamps · network share · tracker block · export CSV · runs locally
- 02lnk timeline correlatordrop multiple Windows .lnk shortcuts · unified FILETIME timeline · machine GUID · volume serial · dedupe targets · CSV export · runs locally
- 03lnk file batch timeline correlatordrop hundreds of lnk shortcut files or lnk csv exports · build single unified recently-accessed timeline · deduplicate · surface deleted source files · correlate access times across all shortcuts · runs locally
- 04shellbags analyzerdrop a Windows registry hive · extract shellbag entries · folder browsing history · paths · timestamps · export CSV · runs locally
- 05windows jump list parserdrop .automaticDestinations-ms or .customDestinations-ms · parse OLE structure · extract recently accessed files per app · timestamps · AppIDs · export CSV · runs locally
- 06jump list cross-application timeline correlatordrop multiple jlecmd csv exports · unified timeline · cross-app document access · network and removable flags · export csv · runs locally
- 07print spooler artifact forensic analyzerdrop shd spool files evtx csv registry exports · print job history · printnightmare indicators · export csv · runs locally
- 08document hidden print history extractordrop docx xlsx pptx doc xls ppt · hidden print audit trail · printer name · print timestamp · page count · every print job · runs locally