Analyzing Windows Registry for Artifacts When to Use - When investigating user activity on a Windows system during an incident - For identifying autorun/persistence mechanisms used by malware - When tracing installed software, USB devices, and network connections - During insider threat investigations to reconstruct user actions - For correlating registry timestamps with other forensic artifacts Prerequisites - Forensic image or extracted registry hive files - RegRipper, Registry Explorer (Eric Zimmerman), or python-registry - Access to registry hive locations (SAM, SYSTEM, SOFTWARE, NTUSER.D…