execution time vs login session conflict detector

drop security evtx csv and shimcache or prefetch csv · detect execution evidence occurring outside known login sessions · identify executions that cannot be attributed to any user session · surface phantom execution gaps indicating anti-forensic log manipulation · runs locally