IRFlow Timeline

Appearance

Insider Threat: Unauthorized Data Access and Exfiltration

Insider threat investigations require correlating file access patterns, folder navigation, cloud upload activity, and removable media usage across multiple forensic artifact types. IRFlow Timeline's Multi-Tab workspace lets you load MFT entries, ShellBags, browser history, and Jump Lists side by side, then use the Histogram to surface after-hours activity and Date Filters to isolate the suspect's notice period.

Features Used

  • Multi-Tab Workspace -- Load MFT, ShellBags, Browser History, and Jump Lists in parallel tabs
  • Histogram -- Identify after-hours and weekend activity spikes
  • Date Filters -- Narrow the timeline to the employee's notice period
  • Virtual Grid -- Browse and sort large artifact sets efficiently
  • Bookmarks and Tags -- Mark evidence of staging, access, and exfiltration
  • Color Rules -- Highlight sensitive paths, USB activity, and cloud uploads
  • Stacking -- Aggregate file extensions and destination paths
  • IOC Matching -- Flag known cloud storage and personal email domains
  • Export and Reports -- Produce a final evidence package

Background

A typical insider exfiltration case follows a predictable pattern: the subject accesses sensitive directories they may or may not be authorized to view, stages files to a local or removable location, and then transfers data out via USB, cloud storage, or personal email. The investigation window is usually the period between the employee's resignation or termination notice and their last day of access.

Artifact Sources

ArtifactSource Tool / PathWhat It Reveals
MFT ($MFT)KAPE, FTK ImagerFile creation, modification, and access timestamps on sensitive directories
ShellBagsRegistry Explorer, SBECmdFolder navigation history including network shares and removable media
Browser HistoryHindsight, BrowsingHistoryViewCloud storage uploads, personal webmail access, file transfer sites
Jump ListsJLECmdRecently accessed files, application usage, and automatic destination entries
USB Device LogsRegistry, setupapi.dev.logUSB device first-connect and last-connect timestamps

TIP

Use KAPE Triage to collect all four artifact types in a single acquisition pass. Target the !SANS_Triage collection, which captures MFT, registry hives, browser databases, and Jump List files.

Investigation Steps

1. Define the Investigation Window with Date Filters

Before loading any data, establish the critical date range. If the employee submitted a two-week notice on 2026-01-12 and their last day was 2026-01-26, set the global Date Filter to that window.

  1. Open Filter Panel and set Start Date to 2026-01-12 and End Date to 2026-01-26.
  2. Apply the filter so all tabs respect the same time boundary.
  3. Consider extending the window one to two weeks earlier to capture any pre-notice reconnaissance.

2. Load Artifacts into a Multi-Tab Workspace

Open each artifact type in its own tab using Multi-Tab so you can pivot between them without losing context.

TabFile to LoadParser
MFT$MFT parsed via MFTECmdMFTECmd CSV
ShellBagsSBECmd_Output.csvSBECmd CSV
Browser HistoryBrowsingHistory.csv or Hindsight outputBrowser History CSV
Jump ListsAutomaticDestinations.csv from JLECmdJLECmd CSV

3. Configure Color Rules for Key Indicators

Set up Color Rules to visually flag activity categories at a glance.

ColorRule PatternPurpose
Red\\FILESERVER\Finance, \\FILESERVER\HR, \\FILESERVER\LegalAccess to sensitive network shares
OrangeUSB, Removable, E:\, F:\, G:\Removable media paths
Yellowdrive.google.com, dropbox.com, onedrive.live.com, wetransfer.comCloud storage and file transfer
Purplegmail.com, outlook.com, yahoo.com, protonmail.comPersonal email services

4. Analyze MFT for Sensitive File Access

In the MFT tab, filter for paths containing sensitive directory names to identify which files the subject touched.

  1. Use the search bar to filter for \\FILESERVER\Finance\Q4-Reports.
  2. Sort by LastAccessTime descending to see the most recent access first.
  3. Look for clusters of .xlsx, .pdf, and .docx files accessed in rapid succession -- this suggests bulk browsing rather than normal work activity.
  4. Check for files created in staging directories such as C:\Users\jdoe\Desktop\Backup or C:\Users\jdoe\Documents\Personal.

TIP

Use Stacking on the file extension column to quickly see the distribution of accessed file types. A sudden spike in .zip or .7z files during the notice period often indicates archive creation for exfiltration.

5. Review ShellBags for Folder Navigation Patterns

ShellBags record every folder a user opened in Explorer, even if the folder no longer exists or the network share is disconnected.

  1. Switch to the ShellBags tab.
  2. Filter for network paths: \\FILESERVER\.
  3. Look for navigation into directories the subject would not normally access for their role, such as:
    • \\FILESERVER\Finance\Q4-Reports\Board-Presentations
    • \\FILESERVER\HR\Compensation-Data
    • \\FILESERVER\Legal\Contracts\Vendor-Agreements
  4. Check for removable media paths like E:\Backup or F:\Export that indicate USB staging.
  5. Note the Last Interacted timestamps and bookmark entries that fall within the notice period.

6. Examine Browser History for Cloud Uploads

Cloud storage services are one of the most common exfiltration vectors for insiders.

  1. Switch to the Browser History tab.
  2. Apply IOC Matching with a list of cloud storage and personal email domains:
    • drive.google.com/upload
    • dropbox.com/home
    • onedrive.live.com
    • wetransfer.com
    • mail.google.com/mail/u/0/#compose
  3. Sort by timestamp and look for upload activity that correlates with the MFT file access times from Step 4.
  4. Pay attention to URL patterns that indicate file uploads versus normal browsing -- for example, drive.google.com/upload or dropbox.com/request.

Key browser history entries to flag:

TimestampURL PatternInterpretation
2026-01-18 21:43https://drive.google.com/uploadFile upload to personal Google Drive
2026-01-19 22:15https://www.dropbox.com/home/Work-FilesDropbox folder creation and upload
2026-01-22 20:07https://mail.google.com/mail/u/0/#composePersonal Gmail with potential attachment
2026-01-24 23:31https://wetransfer.com/uploadsLarge file transfer via WeTransfer

TIP

After-hours browser activity to cloud storage sites is one of the strongest indicators. Use the Histogram to see if these uploads cluster outside of the 08:00--17:00 business hours window.

7. Inspect Jump Lists for Recently Accessed Files

Jump Lists capture files opened through specific applications, providing a record of what the user worked with most recently.

  1. Switch to the Jump Lists tab.
  2. Filter for application IDs corresponding to file managers and archive tools (Explorer, 7-Zip, WinRAR).
  3. Look for entries pointing to sensitive paths or staging locations:
    • \\FILESERVER\Finance\Q4-Reports\Revenue-Forecast-2026.xlsx
    • C:\Users\jdoe\Desktop\Backup\Q4-Data.zip
    • E:\Transfer\Finance-Export.7z
  4. Cross-reference timestamps with MFT entries to confirm file copy operations.

8. Use the Histogram to Identify After-Hours Patterns

The Histogram aggregates activity across all loaded tabs by time, making it straightforward to spot unusual working patterns.

  1. Set the Histogram resolution to 1 hour.
  2. Look for activity spikes between 19:00 and 06:00 on weekdays, or any weekend activity.
  3. Click on a spike to filter the active tab to that time window.
  4. Compare the notice period histogram shape to the prior 30 days -- a dramatic increase in after-hours activity is a strong behavioral indicator.

9. Correlate Across Tabs with Bookmarks

As you identify evidence in each tab, use Bookmarks and Tags to build a unified evidence trail.

TagUse For
reconShellBag entries showing folder browsing of sensitive directories
stagingMFT entries showing file copies to Desktop, USB, or temp directories
exfil-cloudBrowser history entries for cloud upload activity
exfil-usbMFT and Jump List entries referencing removable media paths
after-hoursAny bookmarked entry with a timestamp outside business hours

10. Build the Exfiltration Timeline

Once all evidence is tagged, merge the bookmarked entries into a single consolidated tab.

  1. Use Merge Tabs to combine bookmarked rows from all four artifact tabs.
  2. Sort the merged view by timestamp to produce a chronological narrative.
  3. The resulting timeline should show a pattern similar to:
    • Reconnaissance: ShellBag entries for sensitive directories (early in the notice period).
    • Collection: MFT entries showing file access and local staging (mid-period).
    • Exfiltration: Browser uploads and USB file writes (late in the period, often after hours).
  4. Export the merged timeline for inclusion in your investigation report.

TIP

Save your workspace as a Session before exporting. This preserves all tab configurations, color rules, filters, and bookmarks so you can return to the analysis if legal counsel or HR requests additional review.

Key Indicators Summary

IndicatorArtifact SourceWhat to Look For
Sensitive directory accessMFT, ShellBagsPaths like \\FILESERVER\Finance\*, \\FILESERVER\HR\*
Local stagingMFT, Jump ListsFiles copied to Desktop\Backup, Documents\Personal, temp folders
Archive creationMFTNew .zip, .7z, .rar files in staging directories
USB device usageMFT, ShellBagsPaths referencing E:\, F:\, or Removable Disk
Cloud upload activityBrowser HistoryURLs for Google Drive, Dropbox, WeTransfer, OneDrive
Personal email useBrowser HistoryGmail, Outlook.com, Yahoo Mail, ProtonMail compose pages
After-hours activityHistogram (all tabs)Spikes outside 08:00--17:00 or on weekends
Bulk file accessMFTLarge clusters of file reads within short time windows

Next Steps

Built for the DFIR community.

Copyright 2025 IRFlow Timeline