Create 03-artifact-processing.md

Author: ngvuthdanhh

operations/03-artifact-processing.md

@@ -0,0 +1,33 @@
+# 03 — Artifact Processing
+
+## Windows Artifacts
+- Registry hives
+- Event logs
+- Prefetch
+- Amcache & Shimcache
+
+## Linux Artifacts
+- `.bash_history`
+- System logs & journal
+- Cron jobs & scheduled tasks
+- SSH activity & keys
+
+## Browser Artifacts
+- History
+- Cache
+- Cookies
+- Downloads
+- Autofill records (if accessible)
+
+## USB Activity Inference
+- Device IDs
+- Connection timestamps
+- Mounted volume traces
+
+## RDP & Network Activity
+- Connection logs
+- Terminal services events
+- Firewall allow/deny patterns
+
+## System vs User Artifacts
+- Distinguish automated system actions from explicit user activity.