drop system evtx csv and registry export · detect evidence of booting from external media · identify usb boot events and alternate os boot artifacts · surface forensic live boot or attacker bootable media usage · runs locally
boot media artifacts
drop system evtx · registry export
or click
kernel-boot 11/12 · security 4826 BCD · USBSTOR · EFI boot order · 6005/6006 uptime gaps
drop system evtx csv · registry export (.reg or csv)