drop prefetch shimcache amcache or mft csv · detect forensic imaging tool execution on the suspect machine · identify when the machine was imaged · surface imaging artifacts and write blocker evidence · runs locally
imaging artifacts
drop prefetch / shimcache / amcache / mft / evtx csv
or click
FTK Imager · dd · WinPmem · DumpIt · E01/AFF · memory dumps · write blocker registry
drop prefetch · shimcache · amcache · mft · 4688 evtx