drop prefetch shimcache mft and security evtx csvs · reconstruct the complete forensic acquisition timeline · identify what was collected when and by whom · surface the investigation method and any collection gaps · runs locally
live vs offline vs remote vs physical · E01/AFF · memory dumps · write blocker · examiner 4624 · contamination after start
drop prefetch · shimcache · mft · security/system evtx · registry