drop mft csv · evtx csv · proxy logs · identify data staging directories · compression artifacts · cloud upload indicators · estimate what data was stolen before encryption · runs locally
evidence sources
drop mft csv · evtx csv · proxy csv
mftecmd mft export · security/system evtx · firewall/proxy logs
mft: large .zip/.7z/.rar in temp/desktop · rclone.exe · staging dirs · evtx: 7z/winrar -p -mhe · proxy: mega.nz · gofile.io · large POST
drop mft csv · evtx csv · proxy logs (multiple files OK)