Skip to content
Digital Forensicshard Premium

Digital Forensics: Windows, Linux and macOS Artifact Advanced

Published:

Questions

30

Duration

30 min

Faculty-reviewed

0

Updated

20 May 2026

Score, per-question explanations and topic breakdown shown right after you submit.

About this mock

Advanced FACT digital-forensics drill that pushes the examiner from "name the artefact" into "name the one parameter that disambiguates near-twin readings of the same artefact" across thirty cross-platform scenarios. The Windows half covers $STANDARD_INFORMATION versus $FILE_NAME at sub-second precision (the SetFileTime zeroed-tick tell), the resident-vs-non-resident $DATA boundary on default-format NTFS, $LogFile LFS REDO/UNDO records against $UsnJrnl USN reasons, Prefetch format versions 17, 23, 26 and 30 mapped to Windows builds, AmCache InventoryApplicationFile FileId carrying SHA1 of the first 31 MiB, shellbag ItemPos<resolution> coordinates against BagMRU and NodeSlot, EventID 4624 LogonType 2/3/10/11 precision, AppCompatCache signatures 0xBADC0FFE/0x73/0x34 across Win7/Win8/Win10/11, MS-SHLLINK LinkFlags bits HasName / HasArguments / HasIconLocation, and the USBSTOR plus MountedDevices plus setupapi.dev.log attribution triple. The Linux half covers MCF identifiers $5/$6/$y/$7/$argon2id$ in /etc/shadow, dual-ABI auditd rules at arch=b64 vs arch=b32, systemd Wants= vs Requires= against Before= vs After= ordering, /proc/[pid]/smaps memfd-backed regions, journald persistence at /var/log/journal vs /run/log/journal, cron user-column semantics across /etc/crontab and /etc/cron.d and /var/spool/cron, ext4 vs xfs vs btrfs unlink semantics, bash HISTSIZE / HISTFILESIZE / HISTCONTROL interactions, file capabilities via setcap vs SUID, and nftables inet family addressing vs iptables -L. The macOS half covers TCC.db auth_value 0/1/2/3, launchd RunAtLoad / KeepAlive / StartInterval / WatchPaths interaction, APFS clone vs copy vs snapshot one-parameter difference, FSEvents MustScanSubDirs bit, .metadata_never_index travelling Spotlight exclusion, Unified Logging predicate language, com.apple.quarantine four-field xattr layout, login vs System vs iCloud keychain scope, Safari History.db visit_time CFAbsoluteTime base, and Time Machine APFS local snapshot vs sparsebundle external destination.

For FACT aspirants who already cleared the applied band, NFSU MSc digital-forensics candidates aiming at the precision-level question, and analysts preparing for GCFA, CHFI, SANS FOR500, and FOR518. Distractors here are one-parameter shifts off the correct answer (wrong epoch base, wrong field order, wrong key, wrong bit position, wrong ABI), so the candidate needs to know the exact structural detail rather than the general subsystem.

Topics covered:

  • NTFS attribute layout, journals, and sub-second timestomp telltales
  • Prefetch versions, AmCache schema, ShellBags coordinates and ShimCache
  • LogonType matrix, LNK LinkFlags bits, USB attribution triple
  • shadow-file MCF identifiers and auditd dual-ABI syscall rules
  • systemd ordering vs requirement strength and cron user-column rules
  • ext4/xfs/btrfs unlink, bash history vars, and capabilities vs SUID
  • TCC.db enums, launchd scheduling keys, APFS clone vs copy vs snapshot
  • FSEvents flags, Spotlight exclusion, Unified Logging predicates, keychains

Useful for the FACT digital forensics paper, NFSU MSc entrance, and one-parameter cross-platform DFIR drill.

Allow 30 minutes.

Sources & references

Questions in this mock are written and verified against the following sources. Citations are recorded per question and shown in the explanation after submission.

  • Linux man-pages, auditctl(8) and audit.rules(7)

    Syscall name vs number, arch=b64 and arch=b32 dual-ABI pattern

    Open source
    cited in 1 question
  • Linux man-pages, memfd_create(2) and proc(5)

    /proc/[pid]/maps and smaps pseudo-paths: memfd, [heap], [stack], anon

    Open source
    cited in 1 question
  • Linux man-pages, cron(8) and crontab(5)

    System-wide vs per-user crontab formats and the user-column distinction

    Open source
    cited in 1 question
  • Linux man-pages, nft(8) and Netfilter nftables Wiki

    Address families ip, ip6, inet, arp, bridge, netdev; nft list table syntax

    Open source
    cited in 1 question
  • Microsoft Learn, USBSTOR Enumerator and SetupAPI Logging

    Windows driver documentation: USBSTOR registry layout, MountedDevices, setupapi.dev.log

    Open source
    cited in 1 question
  • GNU Bash Reference Manual

    Section on Bash History Variables: HISTSIZE, HISTFILESIZE, HISTCONTROL, HISTFILE

    Open source
    cited in 1 question
  • Mandiant, AmCache and the Microsoft Compatibility Appraiser

    AmCache.hve schema on Windows 10: InventoryApplicationFile FileId structure

    Open source
    cited in 1 question
  • Ballenthin, Willi, Windows ShellBag Forensics

    Shellbag binary layout: BagMRU, Bags, NodeSlot, ItemPos and ItemPosUser values

    cited in 1 question
  • Apple Developer, launchd.plist(5) man page

    Section on RunAtLoad, KeepAlive dictionary, StartInterval, StartCalendarInterval, WatchPaths

    Open source
    cited in 1 question
  • Apple Developer, Time Machine and tmutil(8) Reference

    APFS local snapshots vs sparsebundle external destinations and band-size defaults

    Open source
    cited in 1 question
  • Carrier, Brian, File System Forensic Analysis

    Addison-Wesley (2005), Chapter 12: NTFS $STANDARD_INFORMATION and $FILE_NAME timestamp resolution

    cited in 1 question
  • Apple Developer, LaunchServices Quarantine and com.apple.quarantine xattr

    Field layout of the quarantine xattr and LSQuarantineEventsV2.db schema

    Open source
    cited in 1 question
  • Linux man-pages, capabilities(7) and setcap(8)

    Permitted/effective/inheritable/bounding sets and the security.capability xattr

    Open source
    cited in 1 question
  • Linux man-pages, systemd-journald.service(8) and journalctl(1)

    Journal storage paths: /var/log/journal vs /run/log/journal and Storage= semantics

    Open source
    cited in 1 question
  • RFC 9106, Argon2 Memory-Hard Function for Password Hashing

    Section on string encoding of parameters in the Modular Crypt Format

    Open source
    cited in 1 question
  • Apple Developer, APFS Reference and clonefile(2) man page

    Section on APFS clones, copies, and snapshots: inode and extent semantics

    Open source
    cited in 1 question
  • Apple Developer, CFAbsoluteTime and Edwards, Sarah, SANS FOR518

    Section on Mac reference date (2001-01-01) and Safari History.db visit_time semantics

    Open source
    cited in 1 question
  • Mandiant, Caching Out the Val: Leveraging the AppCompatCache

    AppCompatCache binary signatures across Windows 7, 8.x, 10 and 11; ~1024 entry cap

    Open source
    cited in 1 question
  • Apple Developer, FSEventStreamCreate and FSEvents Constants

    CoreServices header reference: FSEventStreamEventFlag values and meanings

    Open source
    cited in 1 question
  • Edwards, Sarah and Bradley, Jaron, TCC.db Schema and Decision Semantics

    SANS FOR518 and independent TCC reverse-engineering write-ups on auth_value enum

    Open source
    cited in 1 question
  • Microsoft Learn, Audit Logon Events (Event 4624) Logon Type Reference

    Windows Security auditing documentation, LogonType values 2/3/4/5/7/9/10/11

    Open source
    cited in 1 question
  • Apple Platform Security, Keychain Services Reference

    Section on login.keychain-db, System.keychain, and iCloud Keychain sync scope

    Open source
    cited in 1 question
  • Apple Developer, log(1) man page and Unified Logging Reference

    Section on predicate syntax: subsystem, category, eventMessage, messageType

    Open source
    cited in 1 question
  • Eric Zimmerman, PECmd Prefetch Documentation

    Prefetch versions 17, 23, 26, 30 header layout and Windows-build mapping

    Open source
    cited in 1 question
  • Apple Developer, Spotlight Metadata Server and mdutil(1)

    Section on .metadata_never_index, .metadata_never_index_unless_rootfs, and Privacy plist

    Open source
    cited in 1 question
  • Linux man-pages, systemd.unit(5)

    Section on Wants=, Requires=, Before=, After= and ordering vs requirement semantics

    Open source
    cited in 1 question
  • Microsoft Learn, Change Journals and USN Records

    Windows file-system documentation: $LogFile and $UsnJrnl record structures

    Open source
    cited in 1 question
  • Microsoft Open Specifications, MS-SHLLINK Shell Link Binary File Format

    Section 2.1.1 LinkFlags bit definitions and 2.4 StringData ordering

    Open source
    cited in 1 question
  • Carrier, Brian, File System Forensic Analysis and btrfs Wiki documentation

    ext4 unlink and JBD2 journal; xfs AGI free-inode tree; btrfs snapshot-protected extents

    cited in 1 question
  • Microsoft Open Specifications, MS-NTFS and Carrier, Brian, File System Forensic Analysis

    MS-NTFS resident vs non-resident attribute layout; Carrier Chapter 12

    Open source
    cited in 1 question

How our mocks are built

Questions are written and edited by the ForensicSpot team and cited from peer-reviewed forensic textbooks, official syllabi and primary case law. Each one is verified before publishing. Detailed explanations show after you submit, so the test stays a real test. See a mistake? Tell us.

Common questions

What does the Digital Forensics: Windows, Linux and macOS Artifact Advanced mock cover?+

Advanced FACT digital-forensics drill that pushes the examiner from "name the artefact" into "name the one parameter that disambiguates near-twin readings of the same artefact" across thirty cross-platform scenarios. The Windows half covers $STANDARD_INFORMATION versus $FILE_NAME at sub-second precision (the SetFileTime zeroed-tick tell), the resident-vs-non-resident $DATA boundary on default-format NTFS, $LogFile LFS REDO/UNDO records against $UsnJrnl USN reasons, Prefetch format versions 17, 2

How many questions and how long is the test?+

30 multiple-choice questions, 30 minutes total. Difficulty: hard. Tier: Premium.

Who is this mock for?+

Forensic science students and aspirants who want timed, exam-style practice with explanations and verified source citations on Digital Forensics, FACT. Useful for postgraduate entrance preparation and for BSc / MSc forensic students testing their recall under time.

Are the questions reviewed?+

Each question carries a verified source citation. Faculty review for individual questions is in progress.

Do I need an account to take this mock?+

Yes, a free ForensicSpot account is required to start a timed attempt — this lets you save progress, see per-question explanations after submission, and track your topic-level performance over time.

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.