drop mft csv and evtx csv · pinpoint encryption onset · patient zero · dwell hints · runs locally
sources
drop mft csv · optional evtx csv
mftecmd / evtxecmd exports · multiple files OK
spike detection on SI modified timestamps · optional security/system evtx for dwell
drop mft csv (mftecmd); optional evtx csv for pre-encryption activity