drop sysmon evtx csv and registry export · detect large page allocation and memory locking used to prevent pagefile evidence · identify techniques avoiding memory artifact creation · surface memory management abuse for anti-forensic purposes · runs locally
Event 4703 SeLockMemoryPrivilege · pagefile registry · Sysmon 10 PAGE_GUARD · application crash guard signals
drop security evtx csv · sysmon evtx csv · registry export