Detection & Forensics
Technical guidance on how to identify insider activity through logs, forensic artifacts, system telemetry, and detection engineering practices.
Search
James Weston
Detection & Forensics
Identifying Torrented Media via File Metadata and Naming Patterns
The presence of pirated or torrented media on organization-owned endpoints poses more than a compliance issue; it may signal broader behavioral drift, technical misuse, or active infringement. This article outlines how insider threat teams can detect potentially unlawfully obtained media through common naming patterns, file extensions, and forensic markers observed in endpoint telemetry and file activity logs.While possession alone may not prove intent to distribute or exfiltrate data, recurring indicators of pirated content can contribute to subject profiling, support investigations, and inform monthly Monthly Volume Infringement Review (MVIR).Downloaded media files originating from public torrent sources (especially when unapproved tools or...
Joshua Beaman
Detection & Forensics
Snipping Tool Artifacts of Visual Data Exfiltration
In insider threat cases involving data loss, a common assumption is that exfiltration occurs through conventional means: email, cloud uploads, removable media. However, some subjects bypass technical controls altogether by capturing data visually. The native Windows utility Snipping Tool provides one such method: enabling users to screenshot sensitive content directly from screen to file, often without triggering conventional DLP controls.Whether detected proactively or uncovered during post-incident triage, artifacts from Snipping Tool can serve as evidence of preparation or the act of exfiltration itself, particularly in cases where intellectual property, personal data, or restricted documents are exposed visually.Despite its minimal interface,...