- MAC file times
- Registry key LastWrite times
- Event Logs
- Other logs (ie, setupapi.log, schedlgU.txt, etc.)
- INFO2 files
Are there any other sources that should be added?
On a side note, does anyone have any credible/supported information regarding which Registry key maintains the audit policy? This may be something that's very important to check.