Digital Forensics: Windows, Linux and macOS System Artifacts
Published:
Questions
30
Duration
30 min
Faculty-reviewed
0
Updated
20 May 2026
About this mock
FACT digital forensics drill on operating-system artefacts across Windows, Linux, and macOS, covering NTFS Master File Table internals, registry hives (HKLM\SYSTEM, NTUSER.DAT, SAM, SOFTWARE), event logs in .evtx form, LNK shortcuts, prefetch (.pf) files, the $Recycle.Bin with paired $I and $R files, shellbags, Volume Shadow Copies and System Restore, pagefile.sys, hiberfil.sys, NTFS Alternate Data Streams and slack space, plus the Linux Filesystem Hierarchy Standard, SUID/SGID/sticky semantics, /etc/passwd vs /etc/shadow, wtmp/btmp/lastlog/auth.log, bash history, cron persistence, syslog and rsyslog, auditd, /tmp vs /var/tmp, mount tables, and symlink vs hard link semantics. The macOS half covers launchd LaunchDaemons and LaunchAgents, SystemConfiguration preferences.plist, .fseventsd and other hidden directories, Unified Logging via the log show command, ~/Library plists, plutil binary-to-XML conversion, the login.keychain-db and System.keychain stores, zsh history on Catalina and later, Time Machine Backups.backupdb, and Safari and Chrome browser artefacts. Easy band calibration: distractors are clearly different concepts rather than near-twin paths.
For FACT aspirants, NFSU MSc digital forensics entrants, and candidates preparing for GCFA, CHFI, or SANS FOR500/FOR518. Questions emphasise canonical paths, default file names, and the single forensic role of each artefact, so the student can build a reliable mental map before moving on to scenario-driven medium and hard mocks.
Topics covered:
- Windows file system, registry hives, and event logs
- LNK shortcuts, prefetch, Recycle Bin, shellbags, Volume Shadow Copies
- pagefile.sys, hiberfil.sys, NTFS Alternate Data Streams, slack space
- Linux Filesystem Hierarchy Standard, permissions, and password storage
- Login logs, bash history, cron persistence, syslog, and auditd
- Mount tables, temporary directories, symbolic vs hard links
- macOS launchd, SystemConfiguration plist, FSEvents, Unified Logging
- Keychain stores, plutil, Time Machine, Safari and Chrome artefacts
Useful for revision and self-testing before the FACT digital forensics paper.
Allow 30 minutes.
Sources & references
Questions in this mock are written and verified against the following sources. Citations are recorded per question and shown in the explanation after submission.
- cited in 2 questions
Carvey, Harlan — Windows Registry Forensics, 2nd Edition
Syngress (2016), Chapter on Shellbags and User Activity Tracking
- cited in 2 questions
Filesystem Hierarchy Standard, version 3.0
Linux Foundation (2015), Section on /etc — Host-specific system configuration
Open source - cited in 2 questions
Carvey, Harlan — Windows Forensic Analysis Toolkit, 4th Edition
Syngress (2014), Chapter on Recycle Bin Artefacts: $I and $R Files
- cited in 2 questions
Carrier, Brian — File System Forensic Analysis
Addison-Wesley (2005), Chapter 12: NTFS Data Structures — Alternate Data Streams and Slack Space
- cited in 1 question
Linux man-pages — link(2), symlink(2), ln(1)
Section on hard versus symbolic links and inode semantics
Open source - cited in 1 question
Microsoft Learn — Windows Event Log
Eventing documentation: default file locations and .evtx format
Open source - cited in 1 question
Linux man-pages — crontab(1), crontab(5), cron(8)
Section on user crontabs in /var/spool/cron and system entries in /etc/crontab
Open source - cited in 1 question
Linux man-pages — chmod(1) and chmod(2)
Section on numeric mode and the SUID, SGID, and sticky bits
Open source - cited in 1 question
Apple Developer — Logging (os_log) and the log command
Section on Unified Logging architecture and the log show subcommand
Open source - cited in 1 question
Microsoft Learn — Volume Shadow Copy Service
Storage documentation: VSS architecture and shadow copy contents
Open source - cited in 1 question
Apple Developer — Keychain Services Programming Guide
Section on Keychain Locations: login.keychain-db and System.keychain
Open source - cited in 1 question
Linux man-pages — auditd(8), auditd.conf(5), ausearch(8)
Section on default audit log path and configuration
Open source - cited in 1 question
Apple Developer — launchd and Daemons and Services Programming Guide
Section on LaunchDaemons, LaunchAgents, and property-list job definitions
Open source - cited in 1 question
Apple Developer — File System Programming Guide
Section on the Library Folder and the Preferences Subdirectory
Open source - cited in 1 question
Nelson, Phillips, Steuart — Guide to Computer Forensics and Investigations, 6th Edition
Cengage (2019), Chapter on Windows Artefacts: Prefetch
- cited in 1 question
- cited in 1 question
Edwards, Sarah — macOS Unified Logging and FSEvents in macOS Forensics
SANS DFIR — FOR518 Mac and iOS Forensic Analysis, Section on FSEvents
- cited in 1 question
RFC 5424 — The Syslog Protocol
IETF Standards Track (2009), Section 6: Syslog Message Format
Open source - cited in 1 question
Linux man-pages — shadow(5) and passwd(5)
Section on /etc/shadow file format and access mode
Open source - cited in 1 question
Apple — About Time Machine and APFS snapshots
Apple Support article HT201250 and developer documentation on tmutil(8)
Open source - cited in 1 question
Linux man-pages — wtmp(5), btmp(5), last(1), lastb(1)
Section on login records: wtmp, btmp, and lastlog files
Open source - cited in 1 question
- cited in 1 question
Apple Developer — Use zsh as the default login shell on macOS
Apple Support article HT208050 and zshall(1) Section on HISTFILE
Open source - cited in 1 question
Edwards, Sarah — Mac and iOS Forensic Analysis (SANS FOR518)
SANS DFIR (current edition), Section on Browser Artefacts: Safari and Chrome on macOS
- cited in 1 question
Bradley, Sarah; Edge, Charles — Apple Device Management
Apress (2020), Chapter on SystemConfiguration framework and preferences.plist
- cited in 1 question
Microsoft Learn — Registry Hives
Windows configuration documentation: structure of the registry and the SYSTEM hive
Open source
How our mocks are built
Questions are written and edited by the ForensicSpot team and cited from peer-reviewed forensic textbooks, official syllabi and primary case law. Each one is verified before publishing. Detailed explanations show after you submit, so the test stays a real test. See a mistake? Tell us.
Common questions
What does the Digital Forensics: Windows, Linux and macOS System Artifacts mock cover?+
FACT digital forensics drill on operating-system artefacts across Windows, Linux, and macOS, covering NTFS Master File Table internals, registry hives (HKLM\SYSTEM, NTUSER.DAT, SAM, SOFTWARE), event logs in .evtx form, LNK shortcuts, prefetch (.pf) files, the $Recycle.Bin with paired $I and $R files, shellbags, Volume Shadow Copies and System Restore, pagefile.sys, hiberfil.sys, NTFS Alternate Data Streams and slack space, plus the Linux Filesystem Hierarchy Standard, SUID/SGID/sticky semantics,
How many questions and how long is the test?+
30 multiple-choice questions, 30 minutes total. Difficulty: easy. Tier: Premium.
Who is this mock for?+
Forensic science students and aspirants who want timed, exam-style practice with explanations and verified source citations on Digital Forensics, FACT. Useful for postgraduate entrance preparation and for BSc / MSc forensic students testing their recall under time.
Are the questions reviewed?+
Each question carries a verified source citation. Faculty review for individual questions is in progress.
Do I need an account to take this mock?+
Yes, a free ForensicSpot account is required to start a timed attempt — this lets you save progress, see per-question explanations after submission, and track your topic-level performance over time.