SANS SEC530 FINAL PAPER 2026 QUESTIONS
WITH ANSWERS GRADED A+
◉ Which command will display ASCII and Unicode strings within a
malware sample?
A) cat
B) Get-Strings
C) strings
D) findstr. Answer: C) strings
◉ Which type of system is most commonly used to investigate
malware?
A) Virtual machine
B) Day-to-day host
C) Thick client
D) Production system. Answer: A) Virtual machine
◉ If you believe your system has been the victim of a rootkit attack,
what is the most cost-effective form of eradication?
,A) Restore the OS from the most recent backup.
B) Reformat, reinstall, and patch the system from the original media.
C) Patch and reboot the compromised system.
D) Install applications from a different vendor.. Answer: B) Reformat,
reinstall, and patch the system from the original media.
◉ What tool is used to record the state of the registry before and after
malware is executed on an analysis system?
A) Regshot
B) Ollydbg
C) Wireshark
D) Regripper. Answer: A) Regshot
◉ What method could be used to ensure that an asset under investigation
is not put back into production without approval before the investigation
is complete?
A) Move the asset to a different cloud data center.
B) Terminate the asset.
C) Shut off all administrative access to the cloud environment so no
admins can make changes.
,D) Add an "under investigation" tag to the asset.. Answer: D) Add an
"under investigation" tag to the asset.
◉ During the remediation phase of incident response, you remove a file
from your infected web server. What is the most important additional
thing to do to prevent being compromised again?
A) Determine the root cause of the attack.
B) Review your host-based firewall rules.
C) Restore the host data from backups.
D) Apply patches and harden the system.. Answer: A) Determine the
root cause of the attack.
◉ Why is performing memory analysis on RAM images a staple of
investigations?
A) Valuable information may exist in RAM, which might not be found
on disk.
B) Speed - Evidence from a RAM image will match disk content.
C) RAM provides more consistent images than disk.
D) It's easier to look for historical information in RAM than on disk..
Answer: A) Valuable information may exist in RAM, which might not
be found on disk.
, ◉ An investigator identifies the following POST request. Which log
recorded the activity?
1583050850.951 185 192.168.40.123 TCP_MISS/200 1856 POST
https://update.googleapis.com/service/update2? -
ORIGINAL_DST/172.219.10.153 text/xml
A) Switch access log
B) Regshot event log
C) Proxy access log
D) Windows event log. Answer: C) Proxy access log
◉ What are two basic approaches commonly employed when
investigating malware?
A) Running a penetration test and running a vulnerability scan.
B) Monitoring the environment and examining code.
C) Taking the environment offline and restoring from backups.
D) Performing a risk assessment and confirming a possible exploit type..
Answer: B) Monitoring the environment and examining code.
◉ What step should always be taken first during an incident?
WITH ANSWERS GRADED A+
◉ Which command will display ASCII and Unicode strings within a
malware sample?
A) cat
B) Get-Strings
C) strings
D) findstr. Answer: C) strings
◉ Which type of system is most commonly used to investigate
malware?
A) Virtual machine
B) Day-to-day host
C) Thick client
D) Production system. Answer: A) Virtual machine
◉ If you believe your system has been the victim of a rootkit attack,
what is the most cost-effective form of eradication?
,A) Restore the OS from the most recent backup.
B) Reformat, reinstall, and patch the system from the original media.
C) Patch and reboot the compromised system.
D) Install applications from a different vendor.. Answer: B) Reformat,
reinstall, and patch the system from the original media.
◉ What tool is used to record the state of the registry before and after
malware is executed on an analysis system?
A) Regshot
B) Ollydbg
C) Wireshark
D) Regripper. Answer: A) Regshot
◉ What method could be used to ensure that an asset under investigation
is not put back into production without approval before the investigation
is complete?
A) Move the asset to a different cloud data center.
B) Terminate the asset.
C) Shut off all administrative access to the cloud environment so no
admins can make changes.
,D) Add an "under investigation" tag to the asset.. Answer: D) Add an
"under investigation" tag to the asset.
◉ During the remediation phase of incident response, you remove a file
from your infected web server. What is the most important additional
thing to do to prevent being compromised again?
A) Determine the root cause of the attack.
B) Review your host-based firewall rules.
C) Restore the host data from backups.
D) Apply patches and harden the system.. Answer: A) Determine the
root cause of the attack.
◉ Why is performing memory analysis on RAM images a staple of
investigations?
A) Valuable information may exist in RAM, which might not be found
on disk.
B) Speed - Evidence from a RAM image will match disk content.
C) RAM provides more consistent images than disk.
D) It's easier to look for historical information in RAM than on disk..
Answer: A) Valuable information may exist in RAM, which might not
be found on disk.
, ◉ An investigator identifies the following POST request. Which log
recorded the activity?
1583050850.951 185 192.168.40.123 TCP_MISS/200 1856 POST
https://update.googleapis.com/service/update2? -
ORIGINAL_DST/172.219.10.153 text/xml
A) Switch access log
B) Regshot event log
C) Proxy access log
D) Windows event log. Answer: C) Proxy access log
◉ What are two basic approaches commonly employed when
investigating malware?
A) Running a penetration test and running a vulnerability scan.
B) Monitoring the environment and examining code.
C) Taking the environment offline and restoring from backups.
D) Performing a risk assessment and confirming a possible exploit type..
Answer: B) Monitoring the environment and examining code.
◉ What step should always be taken first during an incident?
