Digital Forensics: Windows, Linux and macOS Artifact Investigation Scenarios

Applied FACT digital-forensics drill that puts the examiner inside thirty short investigation scenarios across Windows, Linux, and macOS hosts and asks what each surviving artefact actually proves. The Windows scenarios cover $MFT $STANDARD_INFORMATION versus $FILE_NAME timestomp signatures, prefetch hash and run-count execution proof, AmCache and ShimCache attribution differences, UserAssist ROT13 counters, USB insertion via the USBSTOR enumerator key cross-referenced with C:\Windows\INF\setupapi.dev.log, ShellBags evidence of access to now-deleted folders, Volume Shadow Copy mounting and Security.evtx diffing, LNK MAC times pinning prior file state, $Recycle.Bin SID resolution against SAM and ProfileList, and Remote Desktop sessions surfaced as EventID 4624 LogonType 10. The Linux half walks through GTFOBins-style SUID misuse with find -exec /bin/sh -p, the $6$ SHA-512 identifier in /etc/shadow, the three-way persistence choice across cron.d, systemd units, and rc.local, auditd connect() syscall rules, HISTTIMEFORMAT and the : epoch:0 marker in bash history, hard-link versus symbolic-link inode semantics, /proc/[pid]/maps as a window onto injected RWX regions, ext4 inode-reuse limits on deletion recovery, and extended-attribute namespaces as the Linux analogue of NTFS Alternate Data Streams. The macOS scenarios go through TCC.db privacy decisions, the com.apple.quarantine Gatekeeper attribute, the FSEvents gzipped binary log format, kMDItemWhereFroms via mdls and xattr, .DS_Store leakage risk, APFS Time Machine snapshot mounting with tmutil and mount_apfs, sandbox container layout under ~/Library/Containers, launchd StartInterval as the cron equivalent, the History.db schema with history_items joined to history_visits, and APFS clone semantics versus copy and hard link.

For FACT aspirants, NFSU MSc digital-forensics candidates, and analysts preparing for GCFA, CHFI, SANS FOR500, or FOR518. Each question is a small triage decision: given this artefact in this state, what is the defensible reading? Distractors are near-twin readings drawn from adjacent artefacts on the same operating system, so guessing on path or vocabulary alone will not work and the candidate has to know how each subsystem actually writes its evidence.

Topics covered:

• Windows file-system metadata and execution-evidence reasoning
• USB attribution, RDP sessions, and shadow-copy log diffing
• Recycle Bin SID resolution and LNK target reconstruction
• Linux privilege-escalation and persistence triage patterns
• auditd, bash history timestamps, and inode-reuse recovery limits
• macOS TCC, Gatekeeper, FSEvents, and Spotlight metadata
• Time Machine snapshot mounting and sandbox container layout
• launchd persistence keys and Safari history schema details

Useful for revision before the FACT digital forensics paper and for cross-platform incident triage practice.

Allow 30 minutes.