#DFIR realizations - ctime isn't the creation date on Linux systems but the "status change" date - strings -el includes wide formatted strings - each registry key has a modification time stamp that isn't visible in regedit.exe What was yours?