As I mentioned in my previous post on this topic, there were two other tests that I wanted to conduct with respect to file system operations and the effects an analyst might expect to observe within the MFT, and the USN change journal. My thoughts were that if an intruder were accessing a system via RDP, they might not do the drag-and-drop method to move files, or if they were accessing the system via a RAT and they only had command line access, they might use native, command line tools to conduct file operations.
more here..............http://windowsir.blogspot.com/2014/07/file-system-ops-testing-phase-2.html
more here..............http://windowsir.blogspot.com/2014/07/file-system-ops-testing-phase-2.html