SANS 500 ACTUAL EXAM NEWEST 2025 COMPLETE 200 QUESTIONS
AND CORRECT DETAILED ANSWERS (VERIFIED ANSWERS) |ALREADY
GRADED A+||BRAND NEW VERSION!!
Alternate Data Streams (ADS) -
Answer-Alternative content for a file that exists by creating additional data pointers
within the same NTFS file. Basically the presence of a second or subsequent data
stream. Zone.Identifier is an example of an ADS.
AMCACHE.HVE -
Answer-Utilized for the internal application compatibility capability that allows for
Windows to run older executables found from earlier iterations of their OS.
AppCompatCache -
Answer-Tracks the executable file's last modification date, file path, and if it was
executed. Windows looks at this key to figure out if a program needs shimming for
compatibility.
AppData Folder -
Answer-Contains custom settings and other information needed by applications.
Contains your Local, LocalLow, Roaming folders. For example, Web browser
bookmarks and cache.
AppID -
Answer-Each application has a unique id, but they are not unique to the system. Used
to ensure that the application's preferences are not going to conflict with similar
applications. Used in jumplists, in both Custom and Automatic.
Application Log -
Answer-Records events logged by applications. ex: failure of MS SQL to access a
database
Audit Removable Storage -
Answer-Logs every interaction with removable device by user.
Automatic Destinations -
Answer-Contains a list of application sorted by AppID. Can be used to map the history
of the application from its first use.
Autostart -
Answer-Lists the programs that run at system boot. Useful to find malware on a
machine that installs on boot, such as a rootkit.
Background Activity Monitor (BAM) -
Answer-This key is used in conjunction with the DAM key to record the path of the
executable and the last date/time executed.
,BagMRU -
Answer-Based on the keys that are here, you can tell which directories were
opened/closed during a time period.
Bookmarks -
Answer-Created by the user and are shortcuts to websites that are frequently visited or
saved for later. They can also contain user account, URL, URL parameters, page title,
creation date, and last used date.
, Browser Forensics -
Answer-History files, browser cache, and cookies make up the bulk of browser artifacts.
You can find the websites a user visited and how many times they visited and when,
saved websites, downloaded files, usernames, and what the user searched for.
BSSID -
Answer-(Basic Service Set ID) the MAC address of a base station, used to identify it to
host stations.
Compliance Search -
Answer-Powershell cmdlet used for eDiscovery for nearly any kind of search.
Connected Standby -
Answer-In Windows 8, systems with a SSD could take advantage of this new low-
power mode. Was expanded upon in Windows 10 with Modern Standby.
CurrentControlSet -
Answer-Identifies which control set is considered the Current one. Contains system
config settings needed to control system boot, like the driver and service information.
ControlSet001 is typically the set you just booted into the computer with. It is usually the
most up to date. ControlSet002 is the "Last Known Good" version, if something drastic
happened.
Custom Destinations -
Answer-Created by each application and there is custom. Intended to present content
that the application has deemed significant based on either previous usage of the app
or through an action that has indicated that an item is of importance to the user.
Data Stream Carving -
Answer-The carving of small fragments of a file, not the whole file. Fragments can be
pulled from memory, unallocated space, and allocated database files. Ex: URLs, chat
sessions, emails, encryption keys,...
DEAD System - Memory Acquisition -
Answer-You can analysis the hiberfil.sys by copying it from the root of the system drive.
memory.dmp is a crash dump file that can also be used if a full crash dump was taken.
pagefile.sys is not a complete copy of RAM, but can still provide parts of memory that
were paged out to disk.
Desktop Activity Monitor (DAM) -
Answer-Used in conjunction with the BAM key to record the path of the executable and
the last date/time executed. The DAM is present on system that have Connected
Standby present.
DOMStore -
Answer-This is where Web Store files are stored in IE/Edge. Set up in a similar fashion
to cache. WebCacheV*.dat file manages the DOMStore filenames and the owning
AND CORRECT DETAILED ANSWERS (VERIFIED ANSWERS) |ALREADY
GRADED A+||BRAND NEW VERSION!!
Alternate Data Streams (ADS) -
Answer-Alternative content for a file that exists by creating additional data pointers
within the same NTFS file. Basically the presence of a second or subsequent data
stream. Zone.Identifier is an example of an ADS.
AMCACHE.HVE -
Answer-Utilized for the internal application compatibility capability that allows for
Windows to run older executables found from earlier iterations of their OS.
AppCompatCache -
Answer-Tracks the executable file's last modification date, file path, and if it was
executed. Windows looks at this key to figure out if a program needs shimming for
compatibility.
AppData Folder -
Answer-Contains custom settings and other information needed by applications.
Contains your Local, LocalLow, Roaming folders. For example, Web browser
bookmarks and cache.
AppID -
Answer-Each application has a unique id, but they are not unique to the system. Used
to ensure that the application's preferences are not going to conflict with similar
applications. Used in jumplists, in both Custom and Automatic.
Application Log -
Answer-Records events logged by applications. ex: failure of MS SQL to access a
database
Audit Removable Storage -
Answer-Logs every interaction with removable device by user.
Automatic Destinations -
Answer-Contains a list of application sorted by AppID. Can be used to map the history
of the application from its first use.
Autostart -
Answer-Lists the programs that run at system boot. Useful to find malware on a
machine that installs on boot, such as a rootkit.
Background Activity Monitor (BAM) -
Answer-This key is used in conjunction with the DAM key to record the path of the
executable and the last date/time executed.
,BagMRU -
Answer-Based on the keys that are here, you can tell which directories were
opened/closed during a time period.
Bookmarks -
Answer-Created by the user and are shortcuts to websites that are frequently visited or
saved for later. They can also contain user account, URL, URL parameters, page title,
creation date, and last used date.
, Browser Forensics -
Answer-History files, browser cache, and cookies make up the bulk of browser artifacts.
You can find the websites a user visited and how many times they visited and when,
saved websites, downloaded files, usernames, and what the user searched for.
BSSID -
Answer-(Basic Service Set ID) the MAC address of a base station, used to identify it to
host stations.
Compliance Search -
Answer-Powershell cmdlet used for eDiscovery for nearly any kind of search.
Connected Standby -
Answer-In Windows 8, systems with a SSD could take advantage of this new low-
power mode. Was expanded upon in Windows 10 with Modern Standby.
CurrentControlSet -
Answer-Identifies which control set is considered the Current one. Contains system
config settings needed to control system boot, like the driver and service information.
ControlSet001 is typically the set you just booted into the computer with. It is usually the
most up to date. ControlSet002 is the "Last Known Good" version, if something drastic
happened.
Custom Destinations -
Answer-Created by each application and there is custom. Intended to present content
that the application has deemed significant based on either previous usage of the app
or through an action that has indicated that an item is of importance to the user.
Data Stream Carving -
Answer-The carving of small fragments of a file, not the whole file. Fragments can be
pulled from memory, unallocated space, and allocated database files. Ex: URLs, chat
sessions, emails, encryption keys,...
DEAD System - Memory Acquisition -
Answer-You can analysis the hiberfil.sys by copying it from the root of the system drive.
memory.dmp is a crash dump file that can also be used if a full crash dump was taken.
pagefile.sys is not a complete copy of RAM, but can still provide parts of memory that
were paged out to disk.
Desktop Activity Monitor (DAM) -
Answer-Used in conjunction with the BAM key to record the path of the executable and
the last date/time executed. The DAM is present on system that have Connected
Standby present.
DOMStore -
Answer-This is where Web Store files are stored in IE/Edge. Set up in a similar fashion
to cache. WebCacheV*.dat file manages the DOMStore filenames and the owning
