drop srum csv · windows accessibility event logs · ui interaction logs · reconstruct exactly which application had focus at every point in time · builds minute by minute user activity reconstruction · proves user presence or absence · runs locally
focus artifacts
drop SRUM / ActivitiesCache / EVTX csv
or click
SRUM ForegroundCycleTime · ActivitiesCache type 6 · workstation lock 4800/4801
drop srum csv · activities cache export · evtx (4800/4801)