SANS 500 LATEST EXAM QUESTIONS AND VERIFIED ANSWERS GRADED A
ASSSURED SUCCESS
Study online at https://quizlet.com/_hmvxjm
1. Why is it important to collect volatile data during incident response: Information
could be lost if the system is powered off or rebooted
2. You are responding to an incident. The suspect was using his Windows
Desktop Computer with Firefox and "Private Browsing" enabled. The attack
was interrupted when it was detected, and the browser windows are still open.
What can you do to capture the most in-depth data from the suspect's browser
session: Collect the contents of the computer's RAM
3. How is a user mapped to contents of the recycle bin?: SID
4. How does PhotRec Recover deleted files from a host?: Searches free space looking for
file signatures that match specific file types
5. You are responding to an incident in progress on a workstation, Why is it
important to check the presence of encryption on the suspect workstation
before turning it off?: Data on mounted volumes and decryption keys stored as volatile data may be lost
6. How can cookies.sqlite linked to a specific user account: The DB file is stored in the
corresponding profile folder
7. You are reviewing the contents of a Windows shortcut [.Ink file] pointing to
C:\SANS.JPG. Which of the following metadata can you expect to find?: The last
access time of C:\SANS.JPG
8. Which of the following must you remember when reviewing Windows registry
data in your timeline: Registry keys store only a 'LastWrite' time stamp and do not indicate when they were
created, accessed or deleted
9. What information can be deduced by the following artifact? System\Current-
ControlSet\Services\Tcpip\Parameters\Interfaces: If an interface GUID was used to connect
to the internet over 3G
10. Which part of the LNK file reveals the shell path to the target file: PIDL - The PIDL
section of a LNK file, follow the header, it contains a shell path (a PIDL0 to the target file
11. In addition to the Web Notes Folder, which location contains Web Notes
browser artifacts?: Spartan.edb
12. Which event will create a new directory in C:\System Volume Information\?-
: Software installation. There are several ways to create a new volume shadow copy - Software installation, System
snapshot, Manual snapshot
1/5
, SANS 500 LATEST EXAM QUESTIONS AND VERIFIED ANSWERS GRADED A
ASSSURED SUCCESS
Study online at https://quizlet.com/_hmvxjm
13. You are examining an image of a Windows system. In the C:\Win-
dows\Prefetch directory you find an entry for "EvilBin.Exe". Assuming the file
was legitimately created by the operating system, what does this file's existence
mean to you, as the forensic investigator?: EvilBin.Exe has been run at least once on this system
14. What does the unique GUID assigned to each sub-key of the UserAssist
registry entry represent?: Method used to execute and application
15. Which is the advantage offered by server-based e-mail forensic tools when
compared to standard forensic suites?: They allow simultaneous searches across multiple user
accounts
16. Which Windows 7 event log records installation and update information for
Windows security updates and patches: Setup.log records installation and update information on
all applications
17. You are participating in an e-mail investigation for a company using Mi-
crosoft Exchange with Outlook clients. Which of the following would reduce the
results returned in a keyword search of a user's mailbox?: The organization's email clients
have S/MIME support enabled
18. Network logs show that Bob accessed \\10.10.23.47\Financial\Salary two
weeks past. Bob claims he never intentionally went to the network share,
that he must've clicked on a link that mapped to that location. Which registry
key on Bob's host will show if he knew the network location of the salary
folder?: TypePaths
19. Which local folder stores the Cookies DB in Chrome version 96 and above: -
Network
20. Which of the following is an example of volatile data: Open files - Current and running
apps. on a workstation are volatile and all date will be lost if the device is powered off
21. What artifact(s) will be created by Windows 10 when a user opens an office
document from a USB drive using Explorer: Two LNK files are created in C:\Users\<user>\App-
Data\Roaming\Microsoft\Windows\Recent
22. Which of the following records a 'last write time' stored typically in UTC: A
change to a registry key value
2/5
ASSSURED SUCCESS
Study online at https://quizlet.com/_hmvxjm
1. Why is it important to collect volatile data during incident response: Information
could be lost if the system is powered off or rebooted
2. You are responding to an incident. The suspect was using his Windows
Desktop Computer with Firefox and "Private Browsing" enabled. The attack
was interrupted when it was detected, and the browser windows are still open.
What can you do to capture the most in-depth data from the suspect's browser
session: Collect the contents of the computer's RAM
3. How is a user mapped to contents of the recycle bin?: SID
4. How does PhotRec Recover deleted files from a host?: Searches free space looking for
file signatures that match specific file types
5. You are responding to an incident in progress on a workstation, Why is it
important to check the presence of encryption on the suspect workstation
before turning it off?: Data on mounted volumes and decryption keys stored as volatile data may be lost
6. How can cookies.sqlite linked to a specific user account: The DB file is stored in the
corresponding profile folder
7. You are reviewing the contents of a Windows shortcut [.Ink file] pointing to
C:\SANS.JPG. Which of the following metadata can you expect to find?: The last
access time of C:\SANS.JPG
8. Which of the following must you remember when reviewing Windows registry
data in your timeline: Registry keys store only a 'LastWrite' time stamp and do not indicate when they were
created, accessed or deleted
9. What information can be deduced by the following artifact? System\Current-
ControlSet\Services\Tcpip\Parameters\Interfaces: If an interface GUID was used to connect
to the internet over 3G
10. Which part of the LNK file reveals the shell path to the target file: PIDL - The PIDL
section of a LNK file, follow the header, it contains a shell path (a PIDL0 to the target file
11. In addition to the Web Notes Folder, which location contains Web Notes
browser artifacts?: Spartan.edb
12. Which event will create a new directory in C:\System Volume Information\?-
: Software installation. There are several ways to create a new volume shadow copy - Software installation, System
snapshot, Manual snapshot
1/5
, SANS 500 LATEST EXAM QUESTIONS AND VERIFIED ANSWERS GRADED A
ASSSURED SUCCESS
Study online at https://quizlet.com/_hmvxjm
13. You are examining an image of a Windows system. In the C:\Win-
dows\Prefetch directory you find an entry for "EvilBin.Exe". Assuming the file
was legitimately created by the operating system, what does this file's existence
mean to you, as the forensic investigator?: EvilBin.Exe has been run at least once on this system
14. What does the unique GUID assigned to each sub-key of the UserAssist
registry entry represent?: Method used to execute and application
15. Which is the advantage offered by server-based e-mail forensic tools when
compared to standard forensic suites?: They allow simultaneous searches across multiple user
accounts
16. Which Windows 7 event log records installation and update information for
Windows security updates and patches: Setup.log records installation and update information on
all applications
17. You are participating in an e-mail investigation for a company using Mi-
crosoft Exchange with Outlook clients. Which of the following would reduce the
results returned in a keyword search of a user's mailbox?: The organization's email clients
have S/MIME support enabled
18. Network logs show that Bob accessed \\10.10.23.47\Financial\Salary two
weeks past. Bob claims he never intentionally went to the network share,
that he must've clicked on a link that mapped to that location. Which registry
key on Bob's host will show if he knew the network location of the salary
folder?: TypePaths
19. Which local folder stores the Cookies DB in Chrome version 96 and above: -
Network
20. Which of the following is an example of volatile data: Open files - Current and running
apps. on a workstation are volatile and all date will be lost if the device is powered off
21. What artifact(s) will be created by Windows 10 when a user opens an office
document from a USB drive using Explorer: Two LNK files are created in C:\Users\<user>\App-
Data\Roaming\Microsoft\Windows\Recent
22. Which of the following records a 'last write time' stored typically in UTC: A
change to a registry key value
2/5
