Digital Forensics: Windows, Linux and macOS Artifact Investigation Scenarios
Published:
Questions
30
Duration
30 min
Faculty-reviewed
0
Updated
20 May 2026
About this mock
Applied FACT digital-forensics drill that puts the examiner inside thirty short investigation scenarios across Windows, Linux, and macOS hosts and asks what each surviving artefact actually proves. The Windows scenarios cover $MFT $STANDARD_INFORMATION versus $FILE_NAME timestomp signatures, prefetch hash and run-count execution proof, AmCache and ShimCache attribution differences, UserAssist ROT13 counters, USB insertion via the USBSTOR enumerator key cross-referenced with C:\Windows\INF\setupapi.dev.log, ShellBags evidence of access to now-deleted folders, Volume Shadow Copy mounting and Security.evtx diffing, LNK MAC times pinning prior file state, $Recycle.Bin SID resolution against SAM and ProfileList, and Remote Desktop sessions surfaced as EventID 4624 LogonType 10. The Linux half walks through GTFOBins-style SUID misuse with find -exec /bin/sh -p, the $6$ SHA-512 identifier in /etc/shadow, the three-way persistence choice across cron.d, systemd units, and rc.local, auditd connect() syscall rules, HISTTIMEFORMAT and the : epoch:0 marker in bash history, hard-link versus symbolic-link inode semantics, /proc/[pid]/maps as a window onto injected RWX regions, ext4 inode-reuse limits on deletion recovery, and extended-attribute namespaces as the Linux analogue of NTFS Alternate Data Streams. The macOS scenarios go through TCC.db privacy decisions, the com.apple.quarantine Gatekeeper attribute, the FSEvents gzipped binary log format, kMDItemWhereFroms via mdls and xattr, .DS_Store leakage risk, APFS Time Machine snapshot mounting with tmutil and mount_apfs, sandbox container layout under ~/Library/Containers, launchd StartInterval as the cron equivalent, the History.db schema with history_items joined to history_visits, and APFS clone semantics versus copy and hard link.
For FACT aspirants, NFSU MSc digital-forensics candidates, and analysts preparing for GCFA, CHFI, SANS FOR500, or FOR518. Each question is a small triage decision: given this artefact in this state, what is the defensible reading? Distractors are near-twin readings drawn from adjacent artefacts on the same operating system, so guessing on path or vocabulary alone will not work and the candidate has to know how each subsystem actually writes its evidence.
Topics covered:
- Windows file-system metadata and execution-evidence reasoning
- USB attribution, RDP sessions, and shadow-copy log diffing
- Recycle Bin SID resolution and LNK target reconstruction
- Linux privilege-escalation and persistence triage patterns
- auditd, bash history timestamps, and inode-reuse recovery limits
- macOS TCC, Gatekeeper, FSEvents, and Spotlight metadata
- Time Machine snapshot mounting and sandbox container layout
- launchd persistence keys and Safari history schema details
Useful for revision before the FACT digital forensics paper and for cross-platform incident triage practice.
Allow 30 minutes.
Sources & references
Questions in this mock are written and verified against the following sources. Citations are recorded per question and shown in the explanation after submission.
- cited in 2 questions
Edwards, Sarah — Mac and iOS Forensic Analysis (SANS FOR518)
Section on Safari History.db schema, history_items and history_visits tables
- cited in 2 questions
Carrier, Brian — File System Forensic Analysis
Addison-Wesley (2005), Chapter 12: NTFS Attribute Concepts — $STANDARD_INFORMATION and $FILE_NAME
- cited in 2 questions
Carvey, Harlan — Windows Registry Forensics, 2nd Edition
Syngress (2016), Chapter on Shellbags and user activity tracking
- cited in 1 question
Apple Developer — File System Programming Guide
Section on Finder metadata and the .DS_Store per-folder file format
Open source - cited in 1 question
Microsoft Open Specifications — MS-SHLLINK
Shell Link (.LNK) Binary File Format, Sections on LinkInfo and TargetIDList
Open source - cited in 1 question
Edwards, Sarah — macOS Unified Logging and FSEvents in macOS Forensics
SANS DFIR FOR518, Section on FSEvents record format and event flag bitmap
- cited in 1 question
Apple — About Time Machine and tmutil(1)
macOS reference: tmutil listbackups, tmutil compare, and APFS snapshot mounting
Open source - cited in 1 question
Microsoft Learn — Volume Shadow Copy Service
Storage documentation: VSS architecture, copy-on-write driver, and shadow copy contents
Open source - cited in 1 question
Microsoft Learn — Security Identifiers
Windows security documentation: well-known SIDs, RID ranges, and ProfileList structure
Open source - cited in 1 question
Mandiant — Leveraging the Application Compatibility Cache
Mandiant whitepaper (2015) and Microsoft Application Compatibility documentation
Open source - cited in 1 question
GNU Bash Reference Manual
Section on Bash History Facilities: HISTTIMEFORMAT and the history file format
Open source - cited in 1 question
Linux man-pages — auditctl(8) and audit.rules(7)
Section on syscall filters, architecture flags, and persistence under rules.d
Open source - cited in 1 question
Linux man-pages — systemd-journald.service(8) and journalctl(1)
Section on journal storage paths: /var/log/journal and /run/log/journal
Open source - cited in 1 question
Linux man-pages — attr(5), getfattr(1), setfattr(1)
Section on extended-attribute namespaces and their access controls
Open source - cited in 1 question
Linux man-pages — systemd.service(5), cron(8), rc-local
Section on unit activation, cron.d directory, and rc-local sysvinit compatibility
Open source - cited in 1 question
Apple Developer — launchd.plist(5) man page
Section on StartInterval, StartCalendarInterval, RunAtLoad, KeepAlive, WatchPaths
Open source - cited in 1 question
Microsoft Learn — SetupAPI Logging and USBSTOR Enumerator
Windows driver documentation: SetupAPI device installation log and USB enumeration
Open source - cited in 1 question
Apple Developer — App Sandbox Design Guide
Section on the container directory layout and Container.plist on macOS
Open source - cited in 1 question
- cited in 1 question
Microsoft Docs — Cache Manager Prefetching
Windows Internals 7e (Russinovich, Solomon, Ionescu), Chapter on the Cache Manager and Prefetch
Open source - cited in 1 question
Linux man-pages — link(2), symlink(2), stat(2)
Section on hard links, symbolic links, and inode semantics under VFS
Open source - cited in 1 question
Linux man-pages — crypt(5) and shadow(5)
Section on the Modular Crypt Format and algorithm identifiers in /etc/shadow
Open source - cited in 1 question
Apple Developer — LaunchServices Quarantine and Gatekeeper
macOS Security and File System Reference: quarantine extended attribute schema
Open source - cited in 1 question
Apple Developer — File Metadata and Spotlight Importers
macOS File Metadata Reference: kMDItem keys and metadata extended attributes
Open source - cited in 1 question
Apple Developer — APFS Reference and clonefile(2)
Section on APFS clones: extent sharing, copy-on-write, and divergence semantics
Open source - cited in 1 question
Linux man-pages — proc(5)
Section on /proc/[pid]/maps: VMA permissions, pseudo-paths, and backing pathname
Open source - cited in 1 question
Microsoft Learn — Audit Logon Events and Logon Types
Windows Security auditing documentation, EventID 4624 reference table
Open source
How our mocks are built
Questions are written and edited by the ForensicSpot team and cited from peer-reviewed forensic textbooks, official syllabi and primary case law. Each one is verified before publishing. Detailed explanations show after you submit, so the test stays a real test. See a mistake? Tell us.
Common questions
What does the Digital Forensics: Windows, Linux and macOS Artifact Investigation Scenarios mock cover?+
Applied FACT digital-forensics drill that puts the examiner inside thirty short investigation scenarios across Windows, Linux, and macOS hosts and asks what each surviving artefact actually proves. The Windows scenarios cover $MFT $STANDARD_INFORMATION versus $FILE_NAME timestomp signatures, prefetch hash and run-count execution proof, AmCache and ShimCache attribution differences, UserAssist ROT13 counters, USB insertion via the USBSTOR enumerator key cross-referenced with C:\Windows\INF\setupa
How many questions and how long is the test?+
30 multiple-choice questions, 30 minutes total. Difficulty: medium. Tier: Premium.
Who is this mock for?+
Forensic science students and aspirants who want timed, exam-style practice with explanations and verified source citations on Digital Forensics, FACT. Useful for postgraduate entrance preparation and for BSc / MSc forensic students testing their recall under time.
Are the questions reviewed?+
Each question carries a verified source citation. Faculty review for individual questions is in progress.
Do I need an account to take this mock?+
Yes, a free ForensicSpot account is required to start a timed attempt — this lets you save progress, see per-question explanations after submission, and track your topic-level performance over time.