Nine Common Spoliation Patterns in Employment Litigation (And the Forensic Artifacts That Reveal Them)

By Lance Sloves, CCE | Computer Forensic Services, Inc. (CFSI)

In nearly every employment matter we work — wrongful termination, trade secret theft, non-compete enforcement, hostile work environment, FLSA disputes — the same question drives the forensic strategy: what did the custodian do with their data after they knew (or should have known) litigation was coming?

Spoliation in employment cases is rarely random. After more than two decades of examining devices in these matters, the patterns are remarkably consistent. Below are the nine we see repeatedly — including a new category driven by the rapid adoption of workplace AI tools — the forensic artifacts that expose them, and what attorneys should know before the preservation window closes.

1. Mass USB Activity in the Final Days of Employment

The single most common pattern. Departing employees connect external storage — thumb drives, portable SSDs, even encrypted enterprise USB devices — and copy customer lists, pricing files, CAD drawings, source code, or contact databases.

Forensic artifacts that reveal it:

• SYSTEM\CurrentControlSet\Enum\USBSTOR registry keys (vendor, product, serial number, first/last connection)

• setupapi.dev.log (initial device installation timestamps)

• Shellbags and BagMRU entries (folders viewed on the external device)

• LNK files in \Users\[user]\AppData\Roaming\Microsoft\Windows\Recent\

• JumpLists (\Microsoft\Windows\Recent\AutomaticDestinations\)

• Prefetch entries showing file copy utilities (xcopy.exe, robocopy.exe)

• $LogFile and $UsnJrnl:$J showing file system activity bursts

When the USB connection history shows three serial numbers never previously seen on the device, all connecting in the 72 hours before resignation, the inference is hard to rebut.

2. Cloud Exfiltration to Personal Accounts

OneDrive Personal, Google Drive, Dropbox, iCloud Drive, and personal Gmail are the modern equivalents of carrying out a banker's box. Employees sync corporate files to a personal cloud, then access them from their next employer's network.

What we look for on the endpoint:

• Browser history for personal cloud login URLs (drive.google.com, onedrive.live.com, dropbox.com)

• OneDrive/Dropbox client logs and SyncDiagnostics files

• Outlook auto-forward rules to personal addresses

• "Sent" folder entries with attachments to personal email

• Network artifacts: DNS cache, NetBIOS connections, Windows Event Log 4624/4634 patterns

• ShellBags showing browsing of cloud-mapped drives

What we sample from the Microsoft 365 Unified Audit Log:

The M365 Unified Audit Log is often the single most valuable evidentiary source in a corporate exfiltration matter — it captures user activity across Exchange Online, SharePoint Online, OneDrive for Business, and Teams in one queryable record. Examples of operations we sample include:

• OneDrive for Business: FileDownloaded, FileSyncDownloadedFull, FileAccessed, FileAccessedExtended, FileUploaded, and bulk FileDownloaded bursts from a single IP within a short window

• SharePoint Online: FileDownloaded, SharingSet, AnonymousLinkCreated, CompanyLinkCreated, SiteCollectionAdminAdded, and changes to permissions on document libraries during the relevant period

• Exchange Online: New-InboxRule and Set-InboxRule events (auto-forward and auto-delete rules), MailItemsAccessed, Send, SendAs, and mailbox export operations (New-MailboxExportRequest)

• Cross-workload signals: logins from unusual IPs or geographies, sudden client switches (browser to native client), and activity outside historical working hours

Default retention is 180 days for E3/Business Premium and 365 days for E5 — preservation requests to the tenant administrator should be issued the moment a matter is anticipated. Once the retention window passes, the activity record is unrecoverable.

3. Factory Reset or Reimage of Work Devices

The "scorched earth" pattern. The employee — or sometimes a complicit IT contact — wipes the device before it can be examined. On Macs, this leaves a particular signature.

iOS and macOS reset artifacts:

• The .obliterated file (timestamp of wipe initiation)

• mobile_installation.log and lockdown.log first-boot entries

• containermanagerd.log rebuild events

• purplebuddy.plist and device_values.plist setup timestamps

• UCRT keychain certificate creation bursts

• Unified logs showing Setup Assistant flow

A meaningful signal we look for: the gap between the wipe and first user setup. A legitimate "I'm returning the device" reset typically shows IT setup within hours. A consciousness-of-guilt reset often shows a multi-day gap, suggesting the user wiped, then waited, then handed it over. The timeline of these events, when properly extracted from the device, often becomes the strongest evidence in the matter.

4. Selective Text Message and iMessage Deletion

In harassment, retaliation, and discrimination cases, mobile communications are often the central evidence. Custodians who don't fully understand mobile forensics frequently delete individual threads or messages while leaving the rest intact, believing the deletions are unrecoverable.

What full file system extraction reveals:

• iOS sms.db ROWID gaps (sequential primary keys with missing values indicate deletion)

• WAL (Write-Ahead Log) and SHM journal entries containing pre-deletion records

• KnowledgeC.db application usage patterns around deletion timestamps

• Biome streams showing message activity

• iCloud message backup deltas

A logical-only extraction will not show ROWID gaps. This is why our standard methodology requires full file system extraction (Cellebrite UFED Premium, Magnet Verakey) on every mobile matter — not merely a logical or advanced logical pull. ROWID gap analysis can establish both the fact of deletion and, often, an approximate count of deleted records — a powerful combination when paired with the producing party's representation that "nothing was deleted."

5. Encrypted or Ephemeral Messaging App Usage

Signal, Telegram (secret chats), Wickr, Confide, and Snapchat. The presence of these apps on a corporate device — or installed/uninstalled around the relevant period — is itself probative.

Artifacts that survive:

• App installation/uninstallation history (Plugins.plist, App Store receipts)

• KnowledgeC.db /app/inFocus records showing usage windows

• iOS Screen Time data

• Notification history (assertiond, ScreenTimeAgent)

• Push notification metadata (apsd logs)

• For Android: package installer logs, usage stats database

You may not recover the messages themselves, but you can prove the app was used during the relevant window — which often shifts the spoliation analysis under Rule 37(e).

6. Browser History, Recent Documents, and "Cleaner" Tool Activity

The hallmark of a custodian who Googled "how to delete forensic evidence" the night before the device was collected. CCleaner, BleachBit, Eraser, and similar tools leave their own footprints, even when they execute successfully.

What to look for:

• Prefetch entries for ccleaner.exe, bleachbit.exe, sdelete.exe

• Amcache and ShimCache execution records

• Installation artifacts in WMI repository

• Anomalous gaps in browser history, cookies, and cache

• Recycle Bin metadata ($I files) showing pre-deletion paths

• Volume Shadow Copies that predate the cleaning event

• Windows Search index (Windows.edb) historical entries

A clean browser history with intact OS-level artifacts elsewhere is itself an artifact.

7. Slack, Teams, and Discord Message Editing or Channel Departure

Modern workplace communication often lives entirely outside email. Custodians edit messages, delete them, or leave channels to terminate their access — sometimes assuming the records leave with them.

Where the evidence persists:

• Server-side audit logs (Slack Enterprise Grid, Microsoft 365 Unified Audit Log, Discord moderator logs)

• Local app caches (%AppData%\Slack\Cache\, %AppData%\Microsoft\Teams\)

• IndexedDB and LevelDB stores

• Mobile app caches retrievable via full file system extraction

• Notification history reflecting message content before deletion

• Email digest notifications quoting the original messages

The lesson: deletion at the client does not equal deletion at the server. A targeted preservation request to the platform within the litigation hold timeframe is essential.

8. Litigation-Hold-Triggered Behavior Changes

The most damning pattern of all. Within days — sometimes hours — of receiving a litigation hold notice or an EEOC charge, the custodian's behavior changes measurably.

Indicators we document:

• A spike in deletion activity in $UsnJrnl and $LogFile

• New retention policies created on inbox folders

• Auto-archive rules suddenly enabled

• Bulk message exports followed by deletion

• New encrypted messaging apps installed

• Cloud sync paused or disconnected

• Device passcodes changed (locking out IT)

• "Reset" or "Reinstall macOS / Windows" activity

When the hold notice timestamp aligns with a deletion burst on the custodian's device, the Zubulake and Phillip M. Adams analysis writes itself.

9. AI-Assisted Spoliation: Prompt History, Copilot Activity, and Generative Tool Use

The newest pattern — and one that is changing nearly every employment matter we touch in 2026. Workplace AI tools (Microsoft 365 Copilot, ChatGPT Enterprise, Claude for Work, Gemini for Workspace, GitHub Copilot) have created a new evidentiary category: AI prompts and responses are themselves discoverable communications. Custodians, often without realizing it, generate a detailed record of their thinking, their drafting, and sometimes their misconduct, by talking to an AI assistant.

We see four sub-patterns repeatedly:

• Prompt history deletion. Custodians clear their ChatGPT or Claude conversation history shortly before producing devices, particularly when AI was used to draft resignation letters, draft messages to opposing counsel, or analyze stolen documents.

• Personal AI accounts for corporate work. Employees route corporate data through personal ChatGPT or Claude accounts to avoid enterprise logging, copying customer lists or technical documents into a consumer AI session and downloading the AI's restructured output.

• AI-drafted discovery responses and declarations. Custodians use AI to compose declarations, interrogatory answers, or "contemporaneous" notes after the fact — leaving telltale stylistic and metadata signatures.

• AI-generated or AI-altered evidence. Fabricated text messages, doctored screenshots, and synthetic audio clips offered as evidence of harassment or its absence.

Artifacts we sample:

• Microsoft 365 Copilot: CopilotInteraction events in the Unified Audit Log, capturing the application context (Word, Excel, Outlook, Teams), the timestamp, and the resource grounding the response — without retaining the prompt text itself, which makes timeline analysis the primary tool

• ChatGPT, Claude, and Gemini (web): browser history, cookies, IndexedDB, and cache for chatgpt.com, claude.ai, and gemini.google.com; session tokens proving authenticated use during the relevant period

• Desktop AI applications: prefetch, Amcache, and ShimCache entries for ChatGPT desktop, Claude desktop, and the Copilot client; local conversation caches and SQLite stores

• Enterprise AI integrations: API call logs from corporate proxies, SIEM telemetry, and DLP alerts referencing AI endpoints (api.openai.com, api.anthropic.com, generativelanguage.googleapis.com)

• Mobile AI app usage: KnowledgeC.db /app/inFocus records and Screen Time data establishing when ChatGPT or Claude apps were active

• Provenance and authenticity: C2PA Content Credentials in images, EXIF anomalies, font and rendering inconsistencies in screenshots, and spectral analysis for synthetic audio

The legal frame is still developing, but the practical reality is not: a custodian who used AI to assist their misconduct has often produced the cleanest evidentiary record of that misconduct — provided the examination reaches it before deletion or retention rollover.

What This Means for the Litigation Team

A few practical takeaways drawn from how we structure these examinations:

Move fast on preservation. Most of the artifacts above degrade or roll off within days to weeks. iOS Unified Logs roll, Windows Event Logs cycle, Volume Shadow Copies overwrite, and cloud audit logs have retention windows measured in months — not years.

Demand full file system extraction. Logical and advanced-logical mobile extractions miss the artifacts that matter most for spoliation analysis: SQLite WAL data, KnowledgeC, Biome, and the system logs that document reset events. We treat full file system as a baseline requirement, not an upgrade.

Get the right preservation language into the hold notice. Generic "preserve all relevant documents" notices do not address mobile devices, personal cloud accounts, BYOD, or messaging platforms. We routinely help counsel scope hold notices to address each of these.

Match the forensic timeline to the legal timeline. The probative value of a deletion event multiplies when it can be aligned to the day — sometimes the hour — of a triggering legal event. Our master timelines are built to make that alignment unambiguous.

How CFSI Approaches Spoliation Examinations

Computer Forensic Services has worked employment matters across Texas, Louisiana, Oklahoma, New Mexico, and Florida since 2002. Our methodology centers on:

• Full file system mobile extractions using Cellebrite UFED Premium and Magnet Verakey

• Cross-validation across Magnet Axiom, Oxygen Forensic Detective, and iLEAPP

• Forensically sound disk imaging with chain-of-custody documentation

• Master timelines built in Excel with multi-color event coding for trial presentation

• Expert reports written for the audience — judge, jury, opposing counsel, mediator

If you have an employment matter where preservation may be at issue — or where you suspect spoliation has already occurred — earlier engagement produces stronger evidence. We are typically able to scope and begin work within 24 to 48 hours.

Computer Forensic Services, Inc. 11300 N. Central Expressway, Suite 403, Dallas, TX 75243 214-306-6470 | cfsiusa.com Texas PI License #A11665 | CCE #282

Lance Sloves is the Founder and Principal Examiner of Computer Forensic Services, Inc. He has testified as a digital forensics expert in state and federal courts, including in the Amber Guyger murder trial and the Christopher Duntsch ("Dr. Death") investigation.

This article was prepared with AI assistance. The technical content, forensic methodology, and professional opinions reflect the author's two decades of casework experience and have been reviewed and verified by the author prior to publication.