Purpose : To examine a Windows 7 hard drive and query windows event log for startup and shutdown events then output them to a csv file. Examine the MFT of the same hard drive and extract the modified dates and times for the \users files and output them to a csv. Compare the two csv files then output any files which have been modified whilst the computer was supposed to be switched off.