The USN Journal (Update Sequence Number Journal), or Change Journal, is a feature of NTFS which maintains a record of changes made to the volume. That means everytime something changes on disk, it gets written to the USN Journal, and is unlikely to be tampered with.
Mount your E01 file:
ewfmount image.E01 /mnt/ewf_mount
Use TZ Works’ Windows Journal Parser (get it here: https://tzworks.net/prototype_page.php?proto_id=5) to pull the USN Journal from the EWF mount:
jp -image /mnt/ew_mount/ewf1 -base10 -csv > usn-journal.txt
Grep through this to see how suspected files appear on the disk, and compare it to events in your other timelines.