drop system evtx csv and registry export · detect rapid network adapter configuration changes · identify ip and mac changes altering forensic network identity · surface coordinated adapter reconfiguration events · runs locally
drop system evtx csv and registry export · local only
heuristic screener · vendor schema varies · not definitive proof