drop mft csv · detect encrypted file system usage patterns · identify mass efs encryption events · surface encryption used to hide data before investigation · correlate with certificate and key evidence · runs locally
optional investigation window start (ISO) — flags mass encryption during investigation
drop mft csv · optional security evtx csv (multi-file)