Add forensics mobile and raw log evidence gates

[alan747271363-art]

Summary

• add NIST SP 800-101 Rev. 1 coverage for mobile/BYOD evidence decisions
• add a mobile scope guard for owner, lock state, network state, MDM enrollment, remote wipe risk, consent/legal authority, and cloud/identity evidence
• distinguish Windows Event Log triage text queries from preserved .evtx artifacts
• add raw log preservation output fields with native artifact, triage export, and SHA-256 hash tracking

Scope notes

Addresses the mobile/BYOD and raw event-log preservation portions of #1112. This intentionally avoids duplicating the existing cloud custody PR #1068 and does not change acquisition tooling behavior.

Official references used:

• NIST SP 800-101 Rev. 1: https://csrc.nist.gov/pubs/sp/800/101/r1/final
• Microsoft wevtutil export-log documentation: https://learn.microsoft.com/windows-server/administration/windows-commands/wevtutil
• Microsoft Get-FileHash documentation: https://learn.microsoft.com/powershell/module/microsoft.powershell.utility/get-filehash

Validation

• git diff --check
• markdown fence balance check for skills/incident-response/forensics-checklist/SKILL.md
• required frontmatter field check
• changed-file prompt-safety keyword scan
• final open PR search for direct [REVIEW] forensics-checklist: cloud-native immutability, mobile scope, and raw log preservation gaps #1112 mobile/BYOD/raw EVTX overlap

Bounty

Skill Improvement / Improver candidate. Payment details can be provided privately after maintainer acceptance.