Page 1 of 49
SANS 500 EXAM LATEST UPDATE WITH 280
QUESTIONS AND CORRECT DETAILED SOLUTIONS
JUST RELEASED THIS YEAR
Question: How does PhotRec Recover deleted files from a host? - CORRECT
ANSWER✔✔Searches free space looking for file signatures that match specific file types
Question: Why is it important to collect volatile data during incident response - CORRECT
ANSWER✔✔Information could be lost if the system is powered off or rebooted
Question: You are responding to an incident. The suspect was using his Windows Desktop
Computer with Firefox and "Private Browsing" enabled. The attack was interrupted when it was
detected, and the browser windows are still open. What can you do to capture the most in-
depth data from the suspect's browser session - CORRECT ANSWER✔✔Collect the contents of
the computer's RAM
Question: How is a user mapped to contents of the recycle bin? - CORRECT ANSWER✔✔SID
Question: You are responding to an incident in progress on a workstation, Why is it important
to check the presence of encryption on the suspect workstation before turning it off? - CORRECT
ANSWER✔✔Data on mounted volumes and decryption keys stored as volatile data may be lost
1
SUCCESS!
,Page 2 of 49
Question: How can cookies.sqlite linked to a specific user account - CORRECT ANSWER✔✔The
DB file is stored in the corresponding profile folder
Question: You are reviewing the contents of a Windows shortcut [.Ink file] pointing to
C:\SANS.JPG. Which of the following metadata can you expect to find? - CORRECT
ANSWER✔✔The last access time of C:\SANS.JPG
Question: Which of the following must you remember when reviewing Windows registry data
in your timeline - CORRECT ANSWER✔✔Registry keys store only a 'LastWrite' time stamp and do
not indicate when they were created, accessed or deleted
Question: What information can be deduced by the following artifact?
System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces - CORRECT ANSWER✔✔If an
interface GUID was used to connect to the internet over 3G
Question: Which part of the LNK file reveals the shell path to the target file - CORRECT
ANSWER✔✔PIDL - The PIDL section of a LNK file, follow the header, it contains a shell path (a
PIDL0 to the target file
Question: In addition to the Web Notes Folder, which location contains Web Notes browser
artifacts? - CORRECT ANSWER✔✔Spartan.edb
2
SUCCESS!
,Page 3 of 49
Question: Which event will create a new directory in C:\System Volume Information\? -
CORRECT ANSWER✔✔Software installation. There are several ways to create a new volume
shadow copy - Software installation, System snapshot, Manual snapshot
Question: You are examining an image of a Windows system. In the C:\Windows\Prefetch
directory you find an entry for "EvilBin.Exe". Assuming the file was legitimately created by the
operating system, what does this file's existence mean to you, as the forensic investigator? -
CORRECT ANSWER✔✔EvilBin.Exe has been run at least once on this system
Question: What does the unique GUID assigned to each sub-key of the UserAssist registry entry
represent? - CORRECT ANSWER✔✔Method used to execute and application
Question: Which is the advantage offered by server-based e-mail forensic tools when compared
to standard forensic suites? - CORRECT ANSWER✔✔They allow simultaneous searches across
multiple user accounts
Question: Which Windows 7 event log records installation and update information for Windows
security updates and patches - CORRECT ANSWER✔✔Setup.log records installation and update
information on all applications
Question: You are participating in an e-mail investigation for a company using Microsoft
Exchange with Outlook clients. Which of the following would reduce the results returned in a
3
SUCCESS!
, Page 4 of 49
keyword search of a user's mailbox? - CORRECT ANSWER✔✔The organization's email clients
have S/MIME support enabled
Question: Network logs show that Bob accessed \\10.10.23.47\Financial\Salary two weeks
past. Bob claims he never intentionally went to the network share, that he must've clicked on a
link that mapped to that location. Which registry key on Bob's host will show if he knew the
network location of the salary folder? - CORRECT ANSWER✔✔TypePaths
Question: Which local folder stores the Cookies DB in Chrome version 96 and above - CORRECT
ANSWER✔✔Network
Question: Which of the following is an example of volatile data - CORRECT ANSWER✔✔Open
files - Current and running apps. on a workstation are volatile and all date will be lost if the
device is powered off
Question: What artifact(s) will be created by Windows 10 when a user opens an office
document from a USB drive using Explorer - CORRECT ANSWER✔✔Two LNK files are created in
C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Recent
Question: Which of the following records a 'last write time' stored typically in UTC - CORRECT
ANSWER✔✔A change to a registry key value
4
SUCCESS!
SANS 500 EXAM LATEST UPDATE WITH 280
QUESTIONS AND CORRECT DETAILED SOLUTIONS
JUST RELEASED THIS YEAR
Question: How does PhotRec Recover deleted files from a host? - CORRECT
ANSWER✔✔Searches free space looking for file signatures that match specific file types
Question: Why is it important to collect volatile data during incident response - CORRECT
ANSWER✔✔Information could be lost if the system is powered off or rebooted
Question: You are responding to an incident. The suspect was using his Windows Desktop
Computer with Firefox and "Private Browsing" enabled. The attack was interrupted when it was
detected, and the browser windows are still open. What can you do to capture the most in-
depth data from the suspect's browser session - CORRECT ANSWER✔✔Collect the contents of
the computer's RAM
Question: How is a user mapped to contents of the recycle bin? - CORRECT ANSWER✔✔SID
Question: You are responding to an incident in progress on a workstation, Why is it important
to check the presence of encryption on the suspect workstation before turning it off? - CORRECT
ANSWER✔✔Data on mounted volumes and decryption keys stored as volatile data may be lost
1
SUCCESS!
,Page 2 of 49
Question: How can cookies.sqlite linked to a specific user account - CORRECT ANSWER✔✔The
DB file is stored in the corresponding profile folder
Question: You are reviewing the contents of a Windows shortcut [.Ink file] pointing to
C:\SANS.JPG. Which of the following metadata can you expect to find? - CORRECT
ANSWER✔✔The last access time of C:\SANS.JPG
Question: Which of the following must you remember when reviewing Windows registry data
in your timeline - CORRECT ANSWER✔✔Registry keys store only a 'LastWrite' time stamp and do
not indicate when they were created, accessed or deleted
Question: What information can be deduced by the following artifact?
System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces - CORRECT ANSWER✔✔If an
interface GUID was used to connect to the internet over 3G
Question: Which part of the LNK file reveals the shell path to the target file - CORRECT
ANSWER✔✔PIDL - The PIDL section of a LNK file, follow the header, it contains a shell path (a
PIDL0 to the target file
Question: In addition to the Web Notes Folder, which location contains Web Notes browser
artifacts? - CORRECT ANSWER✔✔Spartan.edb
2
SUCCESS!
,Page 3 of 49
Question: Which event will create a new directory in C:\System Volume Information\? -
CORRECT ANSWER✔✔Software installation. There are several ways to create a new volume
shadow copy - Software installation, System snapshot, Manual snapshot
Question: You are examining an image of a Windows system. In the C:\Windows\Prefetch
directory you find an entry for "EvilBin.Exe". Assuming the file was legitimately created by the
operating system, what does this file's existence mean to you, as the forensic investigator? -
CORRECT ANSWER✔✔EvilBin.Exe has been run at least once on this system
Question: What does the unique GUID assigned to each sub-key of the UserAssist registry entry
represent? - CORRECT ANSWER✔✔Method used to execute and application
Question: Which is the advantage offered by server-based e-mail forensic tools when compared
to standard forensic suites? - CORRECT ANSWER✔✔They allow simultaneous searches across
multiple user accounts
Question: Which Windows 7 event log records installation and update information for Windows
security updates and patches - CORRECT ANSWER✔✔Setup.log records installation and update
information on all applications
Question: You are participating in an e-mail investigation for a company using Microsoft
Exchange with Outlook clients. Which of the following would reduce the results returned in a
3
SUCCESS!
, Page 4 of 49
keyword search of a user's mailbox? - CORRECT ANSWER✔✔The organization's email clients
have S/MIME support enabled
Question: Network logs show that Bob accessed \\10.10.23.47\Financial\Salary two weeks
past. Bob claims he never intentionally went to the network share, that he must've clicked on a
link that mapped to that location. Which registry key on Bob's host will show if he knew the
network location of the salary folder? - CORRECT ANSWER✔✔TypePaths
Question: Which local folder stores the Cookies DB in Chrome version 96 and above - CORRECT
ANSWER✔✔Network
Question: Which of the following is an example of volatile data - CORRECT ANSWER✔✔Open
files - Current and running apps. on a workstation are volatile and all date will be lost if the
device is powered off
Question: What artifact(s) will be created by Windows 10 when a user opens an office
document from a USB drive using Explorer - CORRECT ANSWER✔✔Two LNK files are created in
C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Recent
Question: Which of the following records a 'last write time' stored typically in UTC - CORRECT
ANSWER✔✔A change to a registry key value
4
SUCCESS!
