drop multiple evtx csvs shimcache prefetch and registry exports · detect behaviors indicating suspect is aware of investigation · identify evidence of surveillance detection and counter-forensic activity · surface systematic investigation evasion · runs locally
awareness searches · self-forensic tools · forensic path scanning · encrypted comm switches
drop evtx · prefetch · shimcache · browser history · registry