drop prefetch shimcache amcache or 4688 evtx csv · detect forensic investigation tools run on the suspect machine · identify who ran forensic tools and when · surface examiner or attacker tool reconnaissance on the machine · runs locally
execution artifacts
drop prefetch / shimcache / amcache / evtx / bam csv
or click
Autopsy · FTK · Volatility · NirSoft · Mimikatz · context: investigator vs attacker vs subject-self
drop prefetch · shimcache · amcache · 4688 evtx · bam