drop mft csv or file listing with pe headers · extract compile timestamps from pe headers · detect files with filesystem timestamps earlier than their compile timestamp · surface impossible binaries indicating timestomping · runs locally
mftecmd / amcache exports with compile time column · or drop .exe/.dll for header-only batch analysis
drop mft/amcache csv or pe binaries (multi-file)