Digital Forensics: Windows, Linux and macOS Artifact Advanced
Published:
Questions
30
Duration
30 min
Faculty-reviewed
0
Updated
20 May 2026
About this mock
Advanced FACT digital-forensics drill that pushes the examiner from "name the artefact" into "name the one parameter that disambiguates near-twin readings of the same artefact" across thirty cross-platform scenarios. The Windows half covers $STANDARD_INFORMATION versus $FILE_NAME at sub-second precision (the SetFileTime zeroed-tick tell), the resident-vs-non-resident $DATA boundary on default-format NTFS, $LogFile LFS REDO/UNDO records against $UsnJrnl USN reasons, Prefetch format versions 17, 23, 26 and 30 mapped to Windows builds, AmCache InventoryApplicationFile FileId carrying SHA1 of the first 31 MiB, shellbag ItemPos<resolution> coordinates against BagMRU and NodeSlot, EventID 4624 LogonType 2/3/10/11 precision, AppCompatCache signatures 0xBADC0FFE/0x73/0x34 across Win7/Win8/Win10/11, MS-SHLLINK LinkFlags bits HasName / HasArguments / HasIconLocation, and the USBSTOR plus MountedDevices plus setupapi.dev.log attribution triple. The Linux half covers MCF identifiers $5/$6/$y/$7/$argon2id$ in /etc/shadow, dual-ABI auditd rules at arch=b64 vs arch=b32, systemd Wants= vs Requires= against Before= vs After= ordering, /proc/[pid]/smaps memfd-backed regions, journald persistence at /var/log/journal vs /run/log/journal, cron user-column semantics across /etc/crontab and /etc/cron.d and /var/spool/cron, ext4 vs xfs vs btrfs unlink semantics, bash HISTSIZE / HISTFILESIZE / HISTCONTROL interactions, file capabilities via setcap vs SUID, and nftables inet family addressing vs iptables -L. The macOS half covers TCC.db auth_value 0/1/2/3, launchd RunAtLoad / KeepAlive / StartInterval / WatchPaths interaction, APFS clone vs copy vs snapshot one-parameter difference, FSEvents MustScanSubDirs bit, .metadata_never_index travelling Spotlight exclusion, Unified Logging predicate language, com.apple.quarantine four-field xattr layout, login vs System vs iCloud keychain scope, Safari History.db visit_time CFAbsoluteTime base, and Time Machine APFS local snapshot vs sparsebundle external destination.
For FACT aspirants who already cleared the applied band, NFSU MSc digital-forensics candidates aiming at the precision-level question, and analysts preparing for GCFA, CHFI, SANS FOR500, and FOR518. Distractors here are one-parameter shifts off the correct answer (wrong epoch base, wrong field order, wrong key, wrong bit position, wrong ABI), so the candidate needs to know the exact structural detail rather than the general subsystem.
Topics covered:
- NTFS attribute layout, journals, and sub-second timestomp telltales
- Prefetch versions, AmCache schema, ShellBags coordinates and ShimCache
- LogonType matrix, LNK LinkFlags bits, USB attribution triple
- shadow-file MCF identifiers and auditd dual-ABI syscall rules
- systemd ordering vs requirement strength and cron user-column rules
- ext4/xfs/btrfs unlink, bash history vars, and capabilities vs SUID
- TCC.db enums, launchd scheduling keys, APFS clone vs copy vs snapshot
- FSEvents flags, Spotlight exclusion, Unified Logging predicates, keychains
Useful for the FACT digital forensics paper, NFSU MSc entrance, and one-parameter cross-platform DFIR drill.
Allow 30 minutes.
Sources & references
Questions in this mock are written and verified against the following sources. Citations are recorded per question and shown in the explanation after submission.
- cited in 1 question
Linux man-pages, auditctl(8) and audit.rules(7)
Syscall name vs number, arch=b64 and arch=b32 dual-ABI pattern
Open source - cited in 1 question
Linux man-pages, memfd_create(2) and proc(5)
/proc/[pid]/maps and smaps pseudo-paths: memfd, [heap], [stack], anon
Open source - cited in 1 question
Linux man-pages, cron(8) and crontab(5)
System-wide vs per-user crontab formats and the user-column distinction
Open source - cited in 1 question
Linux man-pages, nft(8) and Netfilter nftables Wiki
Address families ip, ip6, inet, arp, bridge, netdev; nft list table syntax
Open source - cited in 1 question
Microsoft Learn, USBSTOR Enumerator and SetupAPI Logging
Windows driver documentation: USBSTOR registry layout, MountedDevices, setupapi.dev.log
Open source - cited in 1 question
GNU Bash Reference Manual
Section on Bash History Variables: HISTSIZE, HISTFILESIZE, HISTCONTROL, HISTFILE
Open source - cited in 1 question
Mandiant, AmCache and the Microsoft Compatibility Appraiser
AmCache.hve schema on Windows 10: InventoryApplicationFile FileId structure
Open source - cited in 1 question
Ballenthin, Willi, Windows ShellBag Forensics
Shellbag binary layout: BagMRU, Bags, NodeSlot, ItemPos and ItemPosUser values
- cited in 1 question
Apple Developer, launchd.plist(5) man page
Section on RunAtLoad, KeepAlive dictionary, StartInterval, StartCalendarInterval, WatchPaths
Open source - cited in 1 question
Apple Developer, Time Machine and tmutil(8) Reference
APFS local snapshots vs sparsebundle external destinations and band-size defaults
Open source - cited in 1 question
Carrier, Brian, File System Forensic Analysis
Addison-Wesley (2005), Chapter 12: NTFS $STANDARD_INFORMATION and $FILE_NAME timestamp resolution
- cited in 1 question
Apple Developer, LaunchServices Quarantine and com.apple.quarantine xattr
Field layout of the quarantine xattr and LSQuarantineEventsV2.db schema
Open source - cited in 1 question
Linux man-pages, capabilities(7) and setcap(8)
Permitted/effective/inheritable/bounding sets and the security.capability xattr
Open source - cited in 1 question
Linux man-pages, systemd-journald.service(8) and journalctl(1)
Journal storage paths: /var/log/journal vs /run/log/journal and Storage= semantics
Open source - cited in 1 question
RFC 9106, Argon2 Memory-Hard Function for Password Hashing
Section on string encoding of parameters in the Modular Crypt Format
Open source - cited in 1 question
Apple Developer, APFS Reference and clonefile(2) man page
Section on APFS clones, copies, and snapshots: inode and extent semantics
Open source - cited in 1 question
Apple Developer, CFAbsoluteTime and Edwards, Sarah, SANS FOR518
Section on Mac reference date (2001-01-01) and Safari History.db visit_time semantics
Open source - cited in 1 question
Mandiant, Caching Out the Val: Leveraging the AppCompatCache
AppCompatCache binary signatures across Windows 7, 8.x, 10 and 11; ~1024 entry cap
Open source - cited in 1 question
Apple Developer, FSEventStreamCreate and FSEvents Constants
CoreServices header reference: FSEventStreamEventFlag values and meanings
Open source - cited in 1 question
Edwards, Sarah and Bradley, Jaron, TCC.db Schema and Decision Semantics
SANS FOR518 and independent TCC reverse-engineering write-ups on auth_value enum
Open source - cited in 1 question
Microsoft Learn, Audit Logon Events (Event 4624) Logon Type Reference
Windows Security auditing documentation, LogonType values 2/3/4/5/7/9/10/11
Open source - cited in 1 question
Apple Platform Security, Keychain Services Reference
Section on login.keychain-db, System.keychain, and iCloud Keychain sync scope
Open source - cited in 1 question
Apple Developer, log(1) man page and Unified Logging Reference
Section on predicate syntax: subsystem, category, eventMessage, messageType
Open source - cited in 1 question
Eric Zimmerman, PECmd Prefetch Documentation
Prefetch versions 17, 23, 26, 30 header layout and Windows-build mapping
Open source - cited in 1 question
Apple Developer, Spotlight Metadata Server and mdutil(1)
Section on .metadata_never_index, .metadata_never_index_unless_rootfs, and Privacy plist
Open source - cited in 1 question
Linux man-pages, systemd.unit(5)
Section on Wants=, Requires=, Before=, After= and ordering vs requirement semantics
Open source - cited in 1 question
Microsoft Learn, Change Journals and USN Records
Windows file-system documentation: $LogFile and $UsnJrnl record structures
Open source - cited in 1 question
Microsoft Open Specifications, MS-SHLLINK Shell Link Binary File Format
Section 2.1.1 LinkFlags bit definitions and 2.4 StringData ordering
Open source - cited in 1 question
Carrier, Brian, File System Forensic Analysis and btrfs Wiki documentation
ext4 unlink and JBD2 journal; xfs AGI free-inode tree; btrfs snapshot-protected extents
- cited in 1 question
Microsoft Open Specifications, MS-NTFS and Carrier, Brian, File System Forensic Analysis
MS-NTFS resident vs non-resident attribute layout; Carrier Chapter 12
Open source
How our mocks are built
Questions are written and edited by the ForensicSpot team and cited from peer-reviewed forensic textbooks, official syllabi and primary case law. Each one is verified before publishing. Detailed explanations show after you submit, so the test stays a real test. See a mistake? Tell us.
Common questions
What does the Digital Forensics: Windows, Linux and macOS Artifact Advanced mock cover?+
Advanced FACT digital-forensics drill that pushes the examiner from "name the artefact" into "name the one parameter that disambiguates near-twin readings of the same artefact" across thirty cross-platform scenarios. The Windows half covers $STANDARD_INFORMATION versus $FILE_NAME at sub-second precision (the SetFileTime zeroed-tick tell), the resident-vs-non-resident $DATA boundary on default-format NTFS, $LogFile LFS REDO/UNDO records against $UsnJrnl USN reasons, Prefetch format versions 17, 2
How many questions and how long is the test?+
30 multiple-choice questions, 30 minutes total. Difficulty: hard. Tier: Premium.
Who is this mock for?+
Forensic science students and aspirants who want timed, exam-style practice with explanations and verified source citations on Digital Forensics, FACT. Useful for postgraduate entrance preparation and for BSc / MSc forensic students testing their recall under time.
Are the questions reviewed?+
Each question carries a verified source citation. Faculty review for individual questions is in progress.
Do I need an account to take this mock?+
Yes, a free ForensicSpot account is required to start a timed attempt — this lets you save progress, see per-question explanations after submission, and track your topic-level performance over time.