The toolkit will recover LNK files pointing to USB drives, USN journal entries showing bulk file copies to D:\ , and prefetch executions of 7z.exe or rar.exe at 2:00 AM.
One concern with PowerShell-based toolkits is "living-off-the-land" attacks where an attacker swaps the script. The SLIC team now provides: slic toolkit v3.2