drop evtx csvs and vss registry exports · parse deliberate backup deletion across windows backup · veeam artifacts · backup exec artifacts · correlate with ransomware timeline · runs locally
sources
drop evtx csv · registry .reg
system/security/application evtx · VSS/backup registry exports
vssadmin delete shadows · wbadmin delete · bcdedit recovery disabled · wmic shadowcopy delete · powershell shadow delete · veeam 7036 service stop
drop evtx csv exports and vss registry .reg files