With the increasing frequency of insider threats in today’s cybersecurity landscape, there is a need for better, more proactive monitoring tools to enhance visibility to user behavior as well as privacy violations required by law. Conventional solutions are designed with a network point of view; therefore, they fail to see suspicious activity at the endpoint, especially by people who have legitimate access. This research proposes Intrusion Lens - a real-time monitoring tool that examines Windows forensic artifacts, Shellbags, Jumplists, and RecentDocs, to see user interactions with files and directories and identifies anomalous file access behavior for potential insider threats. Intrusion Lens expands the current forensic state of the art to include continuous monitoring, access to behavioral patterns, and automated email alerts to suspicious/abnormal access to private data. Intrusion Lens works right at the endpoint to view local-level actions otherwise potentially missed. By identifying local-level access activity, it supports shorter response times, reduces potential data breaches, and generally improves an organization’s overall security posture. In addition, the study examines the effectiveness and responsiveness of real-time alerts on incident response efficiency (moving from reactively responding to proactive forensic intentions). This dissertation outlines the design, development, and testing of Intrusion Lens to address current deficiencies in real-time insider threat detection, stressing the real-world utility of enhancing digital forensics. The study offers efficiency and scale to modern enterprise needs while stressing data privacy and providing rapid threat mitigation, ultimately situating the study within the wider area of cybersecurity.