drop security evtx csv · detect accounts created for forensic examination purposes · identify investigator logon sessions · surface examination timeline and investigator account activity · runs locally
examiner naming · admin-created examination accounts · logon type (local/RDP/network) · write contamination flags · forensic tool correlation
drop security evtx csv · optional prefetch/shimcache for forensic tool correlation