drop prefetch shimcache or 4688 evtx csv and mft csv · detect memory imaging tool execution · identify when ram was acquired · surface memory dump files and acquisition method · runs locally
memory acquisition artifacts
drop prefetch / shimcache / 4688 evtx / system evtx / mft csv (multi-file)
or click
DumpIt · WinPmem · Magnet RAM Capture · Belkasoft · FTK memory mode · 7045 driver installs · deleted dumps
drop prefetch · shimcache · 4688 evtx · mft csv