drop sysmon event 11 file create · event 23 file delete · mft csv · evtx 4663 · link file creation and access events to the responsible process · build per-process file activity timeline · identify data staging by process · runs locally
file + process artifacts
drop sysmon / evtx / mft csv
or click
Sysmon FileCreate/Delete · 4663 object access · MFT created timestamps
drop sysmon 11/23/15 · evtx 4663 · mft csv