Daily Linux Forensics Trivia #26 - Name three different logs where you can normally find a record of user logins.

Trivia Answer #26 - I should have been more specific here. I was looking for logs that track successful user logins over time and I was thinking of Syslog's LOG_AUTHPRIV stream (usually /var/log/auth.log or .../secure), the wtmp file, and the audit.log.

Daily Linux Forensics Trivia #28 - How do Chrome and Firefox web browser artifacts differ on Linux systems as compared to Windows/Mac?

The only thing different about web browser artifacts on Linux is their location. $HOME/.mozilla/firefox (Firefox) and $HOME/.config/chromium (Chrome) are the usual locations on Linux. Otherwise it's same SQLite databases, etc. Anything else would be crazy in terms of code re-use

Daily Linux Forensics Trivia #28 - True or False: XFS inode numbers are assigned sequentially.

Daily Linux Forensics Trivia #29 - You are given a disk image of a Linux system. How do you determine which distro and version it is?

Trivia Answer #29 - Shout out to @Grabbi_it for chiming in with the answer. Mount your evidence and look at /etc/os-release, which should be there regardless of which distro you have been given.