analyzemft.py -f /path/to/mounted/windows/image/\$MFT -a -e -o analyzemft-results.csv
Open this up in Excel, and filter through it to see how suspected files appear on the disk, and compare it to events in your other timelines, and see what series of events happened. This also lets you see when files were executed and how many times they were executed (once per entry).
If you see filename:something, that’s an alternate data stream, which can contain additional data (like download type) or be used to hide malware and tools.
If the alternate datastream contains a Zone.Identifier, use icat to print it. If it contains ZoneID=3 it means it was downloaded from the Internet.