drop system and application evtx csv and registry export · detect system restore disabled or restore points deleted · identify vss-backed restore point destruction · surface deliberate elimination of rollback evidence · runs locally
drop system and application evtx csv and registry export · local only
heuristic screener · vendor schema varies · not definitive proof