Covert Evidence Capture for Insider Threat

PreservationP2120 min

IR AnalystSwitch roles in the top navigation to see different perspectives.

Covertly capture and preserve evidence of insider threat activity without alerting the subject, ensuring forensic soundness and legal admissibility of all collected materials.

Actions

1.Enable silent DLP monitoring on the suspect user: configure DLP policies to log-only mode (no block/notify) for all channels -- email, endpoint, cloud storage, USB, print
2.Configure EDR to capture enhanced telemetry on the suspect endpoint without user-visible indicators: enable full command-line logging, keylogging, clipboard capture, and screenshot on suspicious activity
3.Preserve cloud audit trail: export Azure AD sign-in logs, Unified Audit Log entries, OneDrive/SharePoint file access logs, and Teams/Slack message logs for the suspect user (past 90 days)
4.Capture a forensic image of the suspect workstation covertly: schedule during off-hours using remote imaging tools (F-Response, KAPE remote, or EDR live-response disk collection)
5.Preserve email evidence: place a litigation hold on the suspect mailbox via M365 Compliance Center and export mailbox content using eDiscovery (do NOT use in-place hold which notifies the user)
6.Document all evidence collection activities with timestamps, methods, and personnel for chain-of-custody and employment law compliance

Queries

// KQL -- Covert monitoring: suspect user file access patterns
OfficeActivity
| where UserId == "<SUSPECT_UPN>"
| where TimeGenerated > ago(90d)
| where Operation in ("FileDownloaded","FileUploaded","FileSyncDownloadedFull","FileAccessed")
| summarize FileCount=count(), UniqueFiles=dcount(OfficeObjectId) by Operation, bin(TimeGenerated, 1d)
| sort by TimeGenerated desc

// KQL -- Suspect sign-in anomalies
SigninLogs
| where UserPrincipalName == "<SUSPECT_UPN>"
| where TimeGenerated > ago(90d)
| summarize SignInCount=count(), UniqueIPs=dcount(IPAddress), UniqueLocations=dcount(Location), UniqueApps=dcount(AppDisplayName) by bin(TimeGenerated, 1d)
| sort by TimeGenerated desc

// PowerShell -- Silent litigation hold (no user notification)
Set-Mailbox -Identity "<SUSPECT_UPN>" -LitigationHoldEnabled $true -LitigationHoldDuration 365
# Note: LitigationHold does NOT notify the user. Do NOT use In-Place Hold.

Notes

All insider threat evidence collection must be coordinated with HR and legal counsel BEFORE execution
Covert evidence capture is subject to employment law, privacy regulations, and potentially union agreements -- ensure legal sign-off
Never modify or tamper with evidence: capture copies only and maintain cryptographic hashes of all collected materials

Where to Go Next

Evidence captured, review DLP alerts

Review DLP alerts

DLP Alerts

Insider access needs restriction

Restrict insider access

Insider Containment

Update chain of custody documentation

Document chain of custody

Chain of Custody

Related Artifacts

Azure AD (Entra ID) Sign-in Logs

Azure Portal > Entra ID > Monitoring > Sign-in logs (or Microsoft Graph API /auditLogs/signIns)

eDiscovery Content Search Results

Microsoft Purview > eDiscovery > Content search

Microsoft Purview DLP & Insider Risk Logs

Microsoft Purview > Data Loss Prevention > Activity explorer and Insider Risk Management > Cases

Suggested Acquisition

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical