This one is not a surprise, I hope. Most of forensic artifacts come from either file- or Registry- oriented artifacts. Of course, there is a macOS&OS/X world out there, there is Linux, but in reality, lots of DFIR is still living inside the Microsoft world.

My 3R page lists a lot of interesting Windows Registry artifacts that I automagically pulled from Harlan Carvey’s regripper.

The file linked to this post shows a few more, either properly attributed… or not. After all, who has the TIME for all the analysis?!!! Still, hopefully it’s useful to some…