Forensics: No malware on file Not having access to vol2 or a windows box, I wasted entire time getting vol2 working on arm or windows running. Biggest fault! Better way (after CTF endend): With calm mind, I started working with vol3 natively. Spinned up lima vm with rosetta support and used vol2’s release binaries for amd64 Working with vol3 What I did: Dumped all registries -> didn’t find anything -> moved to printkey registries