Improve forensic cloud and mobile preservation gates

[MAUROCERON]

Summary

Implements #1112 by strengthening forensics-checklist for cloud-native/serverless evidence, mobile/BYOD scope, and raw artifact preservation versus triage-only views.

Changes

• Adds a containment-versus-collection decision point for active exfiltration, ransomware, destructive activity, and remote-wipe risk.
• Adds raw Windows event log preservation guidance with wevtutil epl and SHA-256 hashing, distinguishing it from wevtutil qe ... /f:text triage views.
• Allows disk collection to be N/A with compensating evidence for serverless, SaaS, managed database, mobile-only, and service-domain incidents.
• Adds a Cloud Evidence Integrity Gate covering log validation, immutable/WORM retention, separate archive boundary, data-event coverage, artifact provenance, and access trails.
• Adds a Mobile/BYOD evidence scope section for legal authority, lock/network state, MDM telemetry, cloud backups, remote-wipe risk, and acquisition decision.
• Adds edge-case fixtures for serverless compensating evidence, cloud logs without immutability, rendered Windows event text, mobile MFA devices, and containment-altered volatile evidence.

Validation

• Markdown fence balance checked locally for both changed files.
• Remote branch content fetched and checked for marker presence plus encoding corruption.
• Duplicate check: issue [REVIEW] forensics-checklist: cloud-native immutability, mobile scope, and raw log preservation gaps #1112 has no comments and no visible PR matching 1112 OR forensics-checklist cloud-native immutability mobile raw log before this submission.
• Official references checked with HTTP 200: NIST SP 800-101 Rev. 1, NIST SP 800-61 Rev. 3, AWS collect/analyze forensic evidence, AWS CloudTrail log file validation, Amazon S3 Object Lock, and CISA response playbooks.

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms.
• Preferred payment method: Payment details can be provided privately after maintainer acceptance.