SANS 500 || 100% Correct Solutions.
Alternate Data Streams (ADS) correct answers Alternative content for a file that exists by
creating additional data pointers within the same NTFS file. Basically the presence of a second
or subsequent data stream. Zone.Identifier is an example of an ADS.
AMCACHE.HVE correct answers Utilized for the internal application compatibility capability
that allows for Windows to run older executables found from earlier iterations of their OS.
AppCompatCache correct answers Tracks the executable file's last modification date, file path,
and if it was executed. Windows looks at this key to figure out if a program needs shimming for
compatibility.
AppData Folder correct answers Contains custom settings and other information needed by
applications. Contains your Local, LocalLow, Roaming folders. For example, Web browser
bookmarks and cache.
AppID correct answers Each application has a unique id, but they are not unique to the system.
Used to ensure that the application's preferences are not going to conflict with similar
applications. Used in jumplists, in both Custom and Automatic.
Application Log correct answers Records events logged by applications. ex: failure of MS SQL
to access a database
Audit Removable Storage correct answers Logs every interaction with removable device by user.
Automatic Destinations correct answers Contains a list of application sorted by AppID. Can be
used to map the history of the application from its first use.
Autostart correct answers Lists the programs that run at system boot. Useful to find malware on a
machine that installs on boot, such as a rootkit.
Background Activity Monitor (BAM) correct answers This key is used in conjunction with the
DAM key to record the path of the executable and the last date/time executed.
BagMRU correct answers Based on the keys that are here, you can tell which directories were
opened/closed during a time period.
Bookmarks correct answers Created by the user and are shortcuts to websites that are frequently
visited or saved for later. They can also contain user account, URL, URL parameters, page title,
creation date, and last used date.
Browser Forensics correct answers History files, browser cache, and cookies make up the bulk of
browser artifacts. You can find the websites a user visited and how many times they visited and
when, saved websites, downloaded files, usernames, and what the user searched for.
, BSSID correct answers (Basic Service Set ID) the MAC address of a base station, used to
identify it to host stations.
Compliance Search correct answers Powershell cmdlet used for eDiscovery for nearly any kind
of search.
Connected Standby correct answers In Windows 8, systems with a SSD could take advantage of
this new low-power mode. Was expanded upon in Windows 10 with Modern Standby.
CurrentControlSet correct answers Identifies which control set is considered the Current one.
Contains system config settings needed to control system boot, like the driver and service
information. ControlSet001 is typically the set you just booted into the computer with. It is
usually the most up to date. ControlSet002 is the "Last Known Good" version, if something
drastic happened.
Custom Destinations correct answers Created by each application and there is custom. Intended
to present content that the application has deemed significant based on either previous usage of
the app or through an action that has indicated that an item is of importance to the user.
Data Stream Carving correct answers The carving of small fragments of a file, not the whole file.
Fragments can be pulled from memory, unallocated space, and allocated database files. Ex:
URLs, chat sessions, emails, encryption keys,...
DEAD System - Memory Acquisition correct answers You can analysis the hiberfil.sys by
copying it from the root of the system drive. memory.dmp is a crash dump file that can also be
used if a full crash dump was taken. pagefile.sys is not a complete copy of RAM, but can still
provide parts of memory that were paged out to disk.
Desktop Activity Monitor (DAM) correct answers Used in conjunction with the BAM key to
record the path of the executable and the last date/time executed. The DAM is present on system
that have Connected Standby present.
DOMStore correct answers This is where Web Store files are stored in IE/Edge. Set up in a
similar fashion to cache. WebCacheV*.dat file manages the DOMStore filenames and the
owning sites. It includes creation and last access timestamps for Web Storage artifacts.
Exchange Database (EDB) correct answers Container for user Microsoft Exchange mailboxes.
Stored in ESE format.
Email Header correct answers Required component. Provides the envelope that a message relies
on for getting it to the destination. Only completely reliable information from the Mail Transfer
Agent that you own or trust.
EMDMgmt correct answers Traditionally used for ReadyBoost to remember whether it passed
inspection. Each key in it provides the USB device manufacturer, ID, Serial Number, Volume
Name, and Volume Serial Number.
Alternate Data Streams (ADS) correct answers Alternative content for a file that exists by
creating additional data pointers within the same NTFS file. Basically the presence of a second
or subsequent data stream. Zone.Identifier is an example of an ADS.
AMCACHE.HVE correct answers Utilized for the internal application compatibility capability
that allows for Windows to run older executables found from earlier iterations of their OS.
AppCompatCache correct answers Tracks the executable file's last modification date, file path,
and if it was executed. Windows looks at this key to figure out if a program needs shimming for
compatibility.
AppData Folder correct answers Contains custom settings and other information needed by
applications. Contains your Local, LocalLow, Roaming folders. For example, Web browser
bookmarks and cache.
AppID correct answers Each application has a unique id, but they are not unique to the system.
Used to ensure that the application's preferences are not going to conflict with similar
applications. Used in jumplists, in both Custom and Automatic.
Application Log correct answers Records events logged by applications. ex: failure of MS SQL
to access a database
Audit Removable Storage correct answers Logs every interaction with removable device by user.
Automatic Destinations correct answers Contains a list of application sorted by AppID. Can be
used to map the history of the application from its first use.
Autostart correct answers Lists the programs that run at system boot. Useful to find malware on a
machine that installs on boot, such as a rootkit.
Background Activity Monitor (BAM) correct answers This key is used in conjunction with the
DAM key to record the path of the executable and the last date/time executed.
BagMRU correct answers Based on the keys that are here, you can tell which directories were
opened/closed during a time period.
Bookmarks correct answers Created by the user and are shortcuts to websites that are frequently
visited or saved for later. They can also contain user account, URL, URL parameters, page title,
creation date, and last used date.
Browser Forensics correct answers History files, browser cache, and cookies make up the bulk of
browser artifacts. You can find the websites a user visited and how many times they visited and
when, saved websites, downloaded files, usernames, and what the user searched for.
, BSSID correct answers (Basic Service Set ID) the MAC address of a base station, used to
identify it to host stations.
Compliance Search correct answers Powershell cmdlet used for eDiscovery for nearly any kind
of search.
Connected Standby correct answers In Windows 8, systems with a SSD could take advantage of
this new low-power mode. Was expanded upon in Windows 10 with Modern Standby.
CurrentControlSet correct answers Identifies which control set is considered the Current one.
Contains system config settings needed to control system boot, like the driver and service
information. ControlSet001 is typically the set you just booted into the computer with. It is
usually the most up to date. ControlSet002 is the "Last Known Good" version, if something
drastic happened.
Custom Destinations correct answers Created by each application and there is custom. Intended
to present content that the application has deemed significant based on either previous usage of
the app or through an action that has indicated that an item is of importance to the user.
Data Stream Carving correct answers The carving of small fragments of a file, not the whole file.
Fragments can be pulled from memory, unallocated space, and allocated database files. Ex:
URLs, chat sessions, emails, encryption keys,...
DEAD System - Memory Acquisition correct answers You can analysis the hiberfil.sys by
copying it from the root of the system drive. memory.dmp is a crash dump file that can also be
used if a full crash dump was taken. pagefile.sys is not a complete copy of RAM, but can still
provide parts of memory that were paged out to disk.
Desktop Activity Monitor (DAM) correct answers Used in conjunction with the BAM key to
record the path of the executable and the last date/time executed. The DAM is present on system
that have Connected Standby present.
DOMStore correct answers This is where Web Store files are stored in IE/Edge. Set up in a
similar fashion to cache. WebCacheV*.dat file manages the DOMStore filenames and the
owning sites. It includes creation and last access timestamps for Web Storage artifacts.
Exchange Database (EDB) correct answers Container for user Microsoft Exchange mailboxes.
Stored in ESE format.
Email Header correct answers Required component. Provides the envelope that a message relies
on for getting it to the destination. Only completely reliable information from the Mail Transfer
Agent that you own or trust.
EMDMgmt correct answers Traditionally used for ReadyBoost to remember whether it passed
inspection. Each key in it provides the USB device manufacturer, ID, Serial Number, Volume
Name, and Volume Serial Number.
