drop evtx csv or system evtx · detect automatic event log backup events · identify backup files created before log clearing · surface evidence that backups were taken then destroyed · runs locally
artifacts
drop evtx csv · registry · mft (multi-file)
or click
Security 1105 auto-backup · System 104 clear · AutoBackupLogFiles registry · Archive-*.evtx MFT cross-ref
drop security/system evtx csv · optional registry + mft + archive evtx csv