Digital Forensics: Windows, Linux and macOS Artifact Advanced

Advanced FACT digital-forensics drill that pushes the examiner from "name the artefact" into "name the one parameter that disambiguates near-twin readings of the same artefact" across thirty cross-platform scenarios. The Windows half covers $STANDARD_INFORMATION versus $FILE_NAME at sub-second precision (the SetFileTime zeroed-tick tell), the resident-vs-non-resident $DATA boundary on default-format NTFS, $LogFile LFS REDO/UNDO records against $UsnJrnl USN reasons, Prefetch format versions 17, 23, 26 and 30 mapped to Windows builds, AmCache InventoryApplicationFile FileId carrying SHA1 of the first 31 MiB, shellbag ItemPos<resolution> coordinates against BagMRU and NodeSlot, EventID 4624 LogonType 2/3/10/11 precision, AppCompatCache signatures 0xBADC0FFE/0x73/0x34 across Win7/Win8/Win10/11, MS-SHLLINK LinkFlags bits HasName / HasArguments / HasIconLocation, and the USBSTOR plus MountedDevices plus setupapi.dev.log attribution triple. The Linux half covers MCF identifiers $5/$6/$y/$7/$argon2id$ in /etc/shadow, dual-ABI auditd rules at arch=b64 vs arch=b32, systemd Wants= vs Requires= against Before= vs After= ordering, /proc/[pid]/smaps memfd-backed regions, journald persistence at /var/log/journal vs /run/log/journal, cron user-column semantics across /etc/crontab and /etc/cron.d and /var/spool/cron, ext4 vs xfs vs btrfs unlink semantics, bash HISTSIZE / HISTFILESIZE / HISTCONTROL interactions, file capabilities via setcap vs SUID, and nftables inet family addressing vs iptables -L. The macOS half covers TCC.db auth_value 0/1/2/3, launchd RunAtLoad / KeepAlive / StartInterval / WatchPaths interaction, APFS clone vs copy vs snapshot one-parameter difference, FSEvents MustScanSubDirs bit, .metadata_never_index travelling Spotlight exclusion, Unified Logging predicate language, com.apple.quarantine four-field xattr layout, login vs System vs iCloud keychain scope, Safari History.db visit_time CFAbsoluteTime base, and Time Machine APFS local snapshot vs sparsebundle external destination.

For FACT aspirants who already cleared the applied band, NFSU MSc digital-forensics candidates aiming at the precision-level question, and analysts preparing for GCFA, CHFI, SANS FOR500, and FOR518. Distractors here are one-parameter shifts off the correct answer (wrong epoch base, wrong field order, wrong key, wrong bit position, wrong ABI), so the candidate needs to know the exact structural detail rather than the general subsystem.

Topics covered:

• NTFS attribute layout, journals, and sub-second timestomp telltales
• Prefetch versions, AmCache schema, ShellBags coordinates and ShimCache
• LogonType matrix, LNK LinkFlags bits, USB attribution triple
• shadow-file MCF identifiers and auditd dual-ABI syscall rules
• systemd ordering vs requirement strength and cron user-column rules
• ext4/xfs/btrfs unlink, bash history vars, and capabilities vs SUID
• TCC.db enums, launchd scheduling keys, APFS clone vs copy vs snapshot
• FSEvents flags, Spotlight exclusion, Unified Logging predicates, keychains

Useful for the FACT digital forensics paper, NFSU MSc entrance, and one-parameter cross-platform DFIR drill.

Allow 30 minutes.