Skip to content
Digital Forensicsmedium Premium

Digital Forensics: Windows, Linux and macOS Artifact Investigation Scenarios

Published:

Questions

30

Duration

30 min

Faculty-reviewed

0

Updated

20 May 2026

Score, per-question explanations and topic breakdown shown right after you submit.

About this mock

Applied FACT digital-forensics drill that puts the examiner inside thirty short investigation scenarios across Windows, Linux, and macOS hosts and asks what each surviving artefact actually proves. The Windows scenarios cover $MFT $STANDARD_INFORMATION versus $FILE_NAME timestomp signatures, prefetch hash and run-count execution proof, AmCache and ShimCache attribution differences, UserAssist ROT13 counters, USB insertion via the USBSTOR enumerator key cross-referenced with C:\Windows\INF\setupapi.dev.log, ShellBags evidence of access to now-deleted folders, Volume Shadow Copy mounting and Security.evtx diffing, LNK MAC times pinning prior file state, $Recycle.Bin SID resolution against SAM and ProfileList, and Remote Desktop sessions surfaced as EventID 4624 LogonType 10. The Linux half walks through GTFOBins-style SUID misuse with find -exec /bin/sh -p, the $6$ SHA-512 identifier in /etc/shadow, the three-way persistence choice across cron.d, systemd units, and rc.local, auditd connect() syscall rules, HISTTIMEFORMAT and the : epoch:0 marker in bash history, hard-link versus symbolic-link inode semantics, /proc/[pid]/maps as a window onto injected RWX regions, ext4 inode-reuse limits on deletion recovery, and extended-attribute namespaces as the Linux analogue of NTFS Alternate Data Streams. The macOS scenarios go through TCC.db privacy decisions, the com.apple.quarantine Gatekeeper attribute, the FSEvents gzipped binary log format, kMDItemWhereFroms via mdls and xattr, .DS_Store leakage risk, APFS Time Machine snapshot mounting with tmutil and mount_apfs, sandbox container layout under ~/Library/Containers, launchd StartInterval as the cron equivalent, the History.db schema with history_items joined to history_visits, and APFS clone semantics versus copy and hard link.

For FACT aspirants, NFSU MSc digital-forensics candidates, and analysts preparing for GCFA, CHFI, SANS FOR500, or FOR518. Each question is a small triage decision: given this artefact in this state, what is the defensible reading? Distractors are near-twin readings drawn from adjacent artefacts on the same operating system, so guessing on path or vocabulary alone will not work and the candidate has to know how each subsystem actually writes its evidence.

Topics covered:

  • Windows file-system metadata and execution-evidence reasoning
  • USB attribution, RDP sessions, and shadow-copy log diffing
  • Recycle Bin SID resolution and LNK target reconstruction
  • Linux privilege-escalation and persistence triage patterns
  • auditd, bash history timestamps, and inode-reuse recovery limits
  • macOS TCC, Gatekeeper, FSEvents, and Spotlight metadata
  • Time Machine snapshot mounting and sandbox container layout
  • launchd persistence keys and Safari history schema details

Useful for revision before the FACT digital forensics paper and for cross-platform incident triage practice.

Allow 30 minutes.

Sources & references

Questions in this mock are written and verified against the following sources. Citations are recorded per question and shown in the explanation after submission.

  • Edwards, Sarah — Mac and iOS Forensic Analysis (SANS FOR518)

    Section on Safari History.db schema, history_items and history_visits tables

    cited in 2 questions
  • Carrier, Brian — File System Forensic Analysis

    Addison-Wesley (2005), Chapter 12: NTFS Attribute Concepts — $STANDARD_INFORMATION and $FILE_NAME

    cited in 2 questions
  • Carvey, Harlan — Windows Registry Forensics, 2nd Edition

    Syngress (2016), Chapter on Shellbags and user activity tracking

    cited in 2 questions
  • Apple Developer — File System Programming Guide

    Section on Finder metadata and the .DS_Store per-folder file format

    Open source
    cited in 1 question
  • Microsoft Open Specifications — MS-SHLLINK

    Shell Link (.LNK) Binary File Format, Sections on LinkInfo and TargetIDList

    Open source
    cited in 1 question
  • Edwards, Sarah — macOS Unified Logging and FSEvents in macOS Forensics

    SANS DFIR FOR518, Section on FSEvents record format and event flag bitmap

    cited in 1 question
  • Apple — About Time Machine and tmutil(1)

    macOS reference: tmutil listbackups, tmutil compare, and APFS snapshot mounting

    Open source
    cited in 1 question
  • Microsoft Learn — Volume Shadow Copy Service

    Storage documentation: VSS architecture, copy-on-write driver, and shadow copy contents

    Open source
    cited in 1 question
  • Microsoft Learn — Security Identifiers

    Windows security documentation: well-known SIDs, RID ranges, and ProfileList structure

    Open source
    cited in 1 question
  • Mandiant — Leveraging the Application Compatibility Cache

    Mandiant whitepaper (2015) and Microsoft Application Compatibility documentation

    Open source
    cited in 1 question
  • GNU Bash Reference Manual

    Section on Bash History Facilities: HISTTIMEFORMAT and the history file format

    Open source
    cited in 1 question
  • Linux man-pages — auditctl(8) and audit.rules(7)

    Section on syscall filters, architecture flags, and persistence under rules.d

    Open source
    cited in 1 question
  • Linux man-pages — systemd-journald.service(8) and journalctl(1)

    Section on journal storage paths: /var/log/journal and /run/log/journal

    Open source
    cited in 1 question
  • Linux man-pages — attr(5), getfattr(1), setfattr(1)

    Section on extended-attribute namespaces and their access controls

    Open source
    cited in 1 question
  • Linux man-pages — systemd.service(5), cron(8), rc-local

    Section on unit activation, cron.d directory, and rc-local sysvinit compatibility

    Open source
    cited in 1 question
  • Apple Developer — launchd.plist(5) man page

    Section on StartInterval, StartCalendarInterval, RunAtLoad, KeepAlive, WatchPaths

    Open source
    cited in 1 question
  • Microsoft Learn — SetupAPI Logging and USBSTOR Enumerator

    Windows driver documentation: SetupAPI device installation log and USB enumeration

    Open source
    cited in 1 question
  • Apple Developer — App Sandbox Design Guide

    Section on the container directory layout and Container.plist on macOS

    Open source
    cited in 1 question
  • GTFOBins — find

    Privilege escalation reference: SUID find with -exec /bin/sh -p

    Open source
    cited in 1 question
  • Microsoft Docs — Cache Manager Prefetching

    Windows Internals 7e (Russinovich, Solomon, Ionescu), Chapter on the Cache Manager and Prefetch

    Open source
    cited in 1 question
  • Linux man-pages — link(2), symlink(2), stat(2)

    Section on hard links, symbolic links, and inode semantics under VFS

    Open source
    cited in 1 question
  • Linux man-pages — crypt(5) and shadow(5)

    Section on the Modular Crypt Format and algorithm identifiers in /etc/shadow

    Open source
    cited in 1 question
  • Apple Developer — LaunchServices Quarantine and Gatekeeper

    macOS Security and File System Reference: quarantine extended attribute schema

    Open source
    cited in 1 question
  • Apple Developer — File Metadata and Spotlight Importers

    macOS File Metadata Reference: kMDItem keys and metadata extended attributes

    Open source
    cited in 1 question
  • Apple Developer — APFS Reference and clonefile(2)

    Section on APFS clones: extent sharing, copy-on-write, and divergence semantics

    Open source
    cited in 1 question
  • Linux man-pages — proc(5)

    Section on /proc/[pid]/maps: VMA permissions, pseudo-paths, and backing pathname

    Open source
    cited in 1 question
  • Microsoft Learn — Audit Logon Events and Logon Types

    Windows Security auditing documentation, EventID 4624 reference table

    Open source
    cited in 1 question

How our mocks are built

Questions are written and edited by the ForensicSpot team and cited from peer-reviewed forensic textbooks, official syllabi and primary case law. Each one is verified before publishing. Detailed explanations show after you submit, so the test stays a real test. See a mistake? Tell us.

Common questions

What does the Digital Forensics: Windows, Linux and macOS Artifact Investigation Scenarios mock cover?+

Applied FACT digital-forensics drill that puts the examiner inside thirty short investigation scenarios across Windows, Linux, and macOS hosts and asks what each surviving artefact actually proves. The Windows scenarios cover $MFT $STANDARD_INFORMATION versus $FILE_NAME timestomp signatures, prefetch hash and run-count execution proof, AmCache and ShimCache attribution differences, UserAssist ROT13 counters, USB insertion via the USBSTOR enumerator key cross-referenced with C:\Windows\INF\setupa

How many questions and how long is the test?+

30 multiple-choice questions, 30 minutes total. Difficulty: medium. Tier: Premium.

Who is this mock for?+

Forensic science students and aspirants who want timed, exam-style practice with explanations and verified source citations on Digital Forensics, FACT. Useful for postgraduate entrance preparation and for BSc / MSc forensic students testing their recall under time.

Are the questions reviewed?+

Each question carries a verified source citation. Faculty review for individual questions is in progress.

Do I need an account to take this mock?+

Yes, a free ForensicSpot account is required to start a timed attempt — this lets you save progress, see per-question explanations after submission, and track your topic-level performance over time.

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.