drop system evtx csv prefetch shimcache and registry export · detect vpn client installation and usage · identify vpn connection windows hiding traffic origin · surface vpn adapter artifacts and connection timeline · runs locally
drop system evtx csv prefetch shimcache and registry export · local only
heuristic screener · vendor schema varies · not definitive proof