Skip to content
Digital Forensicseasy Premium

Digital Forensics: Windows, Linux and macOS System Artifacts

Published:

Questions

30

Duration

30 min

Faculty-reviewed

0

Updated

20 May 2026

Score, per-question explanations and topic breakdown shown right after you submit.

About this mock

FACT digital forensics drill on operating-system artefacts across Windows, Linux, and macOS, covering NTFS Master File Table internals, registry hives (HKLM\SYSTEM, NTUSER.DAT, SAM, SOFTWARE), event logs in .evtx form, LNK shortcuts, prefetch (.pf) files, the $Recycle.Bin with paired $I and $R files, shellbags, Volume Shadow Copies and System Restore, pagefile.sys, hiberfil.sys, NTFS Alternate Data Streams and slack space, plus the Linux Filesystem Hierarchy Standard, SUID/SGID/sticky semantics, /etc/passwd vs /etc/shadow, wtmp/btmp/lastlog/auth.log, bash history, cron persistence, syslog and rsyslog, auditd, /tmp vs /var/tmp, mount tables, and symlink vs hard link semantics. The macOS half covers launchd LaunchDaemons and LaunchAgents, SystemConfiguration preferences.plist, .fseventsd and other hidden directories, Unified Logging via the log show command, ~/Library plists, plutil binary-to-XML conversion, the login.keychain-db and System.keychain stores, zsh history on Catalina and later, Time Machine Backups.backupdb, and Safari and Chrome browser artefacts. Easy band calibration: distractors are clearly different concepts rather than near-twin paths.

For FACT aspirants, NFSU MSc digital forensics entrants, and candidates preparing for GCFA, CHFI, or SANS FOR500/FOR518. Questions emphasise canonical paths, default file names, and the single forensic role of each artefact, so the student can build a reliable mental map before moving on to scenario-driven medium and hard mocks.

Topics covered:

  • Windows file system, registry hives, and event logs
  • LNK shortcuts, prefetch, Recycle Bin, shellbags, Volume Shadow Copies
  • pagefile.sys, hiberfil.sys, NTFS Alternate Data Streams, slack space
  • Linux Filesystem Hierarchy Standard, permissions, and password storage
  • Login logs, bash history, cron persistence, syslog, and auditd
  • Mount tables, temporary directories, symbolic vs hard links
  • macOS launchd, SystemConfiguration plist, FSEvents, Unified Logging
  • Keychain stores, plutil, Time Machine, Safari and Chrome artefacts

Useful for revision and self-testing before the FACT digital forensics paper.

Allow 30 minutes.

Sources & references

Questions in this mock are written and verified against the following sources. Citations are recorded per question and shown in the explanation after submission.

  • Carvey, Harlan — Windows Registry Forensics, 2nd Edition

    Syngress (2016), Chapter on Shellbags and User Activity Tracking

    cited in 2 questions
  • Filesystem Hierarchy Standard, version 3.0

    Linux Foundation (2015), Section on /etc — Host-specific system configuration

    Open source
    cited in 2 questions
  • Carvey, Harlan — Windows Forensic Analysis Toolkit, 4th Edition

    Syngress (2014), Chapter on Recycle Bin Artefacts: $I and $R Files

    cited in 2 questions
  • Carrier, Brian — File System Forensic Analysis

    Addison-Wesley (2005), Chapter 12: NTFS Data Structures — Alternate Data Streams and Slack Space

    cited in 2 questions
  • Linux man-pages — link(2), symlink(2), ln(1)

    Section on hard versus symbolic links and inode semantics

    Open source
    cited in 1 question
  • Microsoft Learn — Windows Event Log

    Eventing documentation: default file locations and .evtx format

    Open source
    cited in 1 question
  • Linux man-pages — crontab(1), crontab(5), cron(8)

    Section on user crontabs in /var/spool/cron and system entries in /etc/crontab

    Open source
    cited in 1 question
  • Linux man-pages — chmod(1) and chmod(2)

    Section on numeric mode and the SUID, SGID, and sticky bits

    Open source
    cited in 1 question
  • Apple Developer — Logging (os_log) and the log command

    Section on Unified Logging architecture and the log show subcommand

    Open source
    cited in 1 question
  • Microsoft Learn — Volume Shadow Copy Service

    Storage documentation: VSS architecture and shadow copy contents

    Open source
    cited in 1 question
  • Apple Developer — Keychain Services Programming Guide

    Section on Keychain Locations: login.keychain-db and System.keychain

    Open source
    cited in 1 question
  • Linux man-pages — auditd(8), auditd.conf(5), ausearch(8)

    Section on default audit log path and configuration

    Open source
    cited in 1 question
  • Apple Developer — launchd and Daemons and Services Programming Guide

    Section on LaunchDaemons, LaunchAgents, and property-list job definitions

    Open source
    cited in 1 question
  • Apple Developer — File System Programming Guide

    Section on the Library Folder and the Preferences Subdirectory

    Open source
    cited in 1 question
  • Nelson, Phillips, Steuart — Guide to Computer Forensics and Investigations, 6th Edition

    Cengage (2019), Chapter on Windows Artefacts: Prefetch

    cited in 1 question
  • GNU Bash manual

    Section on Bash History Facilities: HISTFILE, HISTSIZE, HISTTIMEFORMAT

    Open source
    cited in 1 question
  • Edwards, Sarah — macOS Unified Logging and FSEvents in macOS Forensics

    SANS DFIR — FOR518 Mac and iOS Forensic Analysis, Section on FSEvents

    cited in 1 question
  • RFC 5424 — The Syslog Protocol

    IETF Standards Track (2009), Section 6: Syslog Message Format

    Open source
    cited in 1 question
  • Linux man-pages — shadow(5) and passwd(5)

    Section on /etc/shadow file format and access mode

    Open source
    cited in 1 question
  • Apple — About Time Machine and APFS snapshots

    Apple Support article HT201250 and developer documentation on tmutil(8)

    Open source
    cited in 1 question
  • Linux man-pages — wtmp(5), btmp(5), last(1), lastb(1)

    Section on login records: wtmp, btmp, and lastlog files

    Open source
    cited in 1 question
  • Apple Developer — plutil man page

    macOS Reference: plutil(1) and the property-list format

    Open source
    cited in 1 question
  • Apple Developer — Use zsh as the default login shell on macOS

    Apple Support article HT208050 and zshall(1) Section on HISTFILE

    Open source
    cited in 1 question
  • Edwards, Sarah — Mac and iOS Forensic Analysis (SANS FOR518)

    SANS DFIR (current edition), Section on Browser Artefacts: Safari and Chrome on macOS

    cited in 1 question
  • Bradley, Sarah; Edge, Charles — Apple Device Management

    Apress (2020), Chapter on SystemConfiguration framework and preferences.plist

    cited in 1 question
  • Microsoft Learn — Registry Hives

    Windows configuration documentation: structure of the registry and the SYSTEM hive

    Open source
    cited in 1 question

How our mocks are built

Questions are written and edited by the ForensicSpot team and cited from peer-reviewed forensic textbooks, official syllabi and primary case law. Each one is verified before publishing. Detailed explanations show after you submit, so the test stays a real test. See a mistake? Tell us.

Common questions

What does the Digital Forensics: Windows, Linux and macOS System Artifacts mock cover?+

FACT digital forensics drill on operating-system artefacts across Windows, Linux, and macOS, covering NTFS Master File Table internals, registry hives (HKLM\SYSTEM, NTUSER.DAT, SAM, SOFTWARE), event logs in .evtx form, LNK shortcuts, prefetch (.pf) files, the $Recycle.Bin with paired $I and $R files, shellbags, Volume Shadow Copies and System Restore, pagefile.sys, hiberfil.sys, NTFS Alternate Data Streams and slack space, plus the Linux Filesystem Hierarchy Standard, SUID/SGID/sticky semantics,

How many questions and how long is the test?+

30 multiple-choice questions, 30 minutes total. Difficulty: easy. Tier: Premium.

Who is this mock for?+

Forensic science students and aspirants who want timed, exam-style practice with explanations and verified source citations on Digital Forensics, FACT. Useful for postgraduate entrance preparation and for BSc / MSc forensic students testing their recall under time.

Are the questions reviewed?+

Each question carries a verified source citation. Faculty review for individual questions is in progress.

Do I need an account to take this mock?+

Yes, a free ForensicSpot account is required to start a timed attempt — this lets you save progress, see per-question explanations after submission, and track your topic-level performance over time.

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.