drop registry export and system evtx csv · detect npcap and ndis capture driver disabled or removed · identify network monitoring suppression · surface anti-forensic network capture prevention · runs locally
drop registry export and system evtx csv · local only
heuristic screener · vendor schema varies · not definitive proof