SANS 500 TEST STUDY GUIDE 2025/2026
ACCURATE QUESTIONS AND VERIFIED
CORRECT SOLUTIONS WITH RATIONALES
|| 100% GUARANTEED PASS
<LATEST VERSION>
1. Alternate Data Streams (ADS) - ANSWER ✓ Alternative content for a file
that exists by creating additional data pointers within the same NTFS file.
Basically the presence of a second or subsequent data stream.
Zone.Identifier is an example of an ADS.
2. AMCACHE.HVE - ANSWER ✓ Utilized for the internal application
compatibility capability that allows for Windows to run older executables
found from earlier iterations of their OS.
3. AppCompatCache - ANSWER ✓ Tracks the executable file's last
modification date, file path, and if it was executed. Windows looks at this
key to figure out if a program needs shimming for compatibility.
4. AppData Folder - ANSWER ✓ Contains custom settings and other
information needed by applications. Contains your Local, LocalLow,
Roaming folders. For example, Web browser bookmarks and cache.
5. AppID - ANSWER ✓ Each application has a unique id, but they are not
unique to the system. Used to ensure that the application's preferences are
not going to conflict with similar applications. Used in jumplists, in both
Custom and Automatic.
6. Application Log - ANSWER ✓ Records events logged by applications. ex:
failure of MS SQL to access a database
7. Audit Removable Storage - ANSWER ✓ Logs every interaction with
removable device by user.
,8. Automatic Destinations - ANSWER ✓ Contains a list of application sorted
by AppID. Can be used to map the history of the application from its first
use.
9. Autostart - ANSWER ✓ Lists the programs that run at system boot. Useful
to find malware on a machine that installs on boot, such as a rootkit.
10.Background Activity Monitor (BAM) - ANSWER ✓ This key is used in
conjunction with the DAM key to record the path of the executable and the
last date/time executed.
11.BagMRU - ANSWER ✓ Based on the keys that are here, you can tell which
directories were opened/closed during a time period.
12.Bookmarks - ANSWER ✓ Created by the user and are shortcuts to websites
that are frequently visited or saved for later. They can also contain user
account, URL, URL parameters, page title, creation date, and last used date.
13.Deleted Email Message - ANSWER ✓ Deleted messages are kept in the
archive until some form of compaction is completed. Deleted messages
might also be present in the PST file for Outlook. Deleted messages can be
found in server-based archives if a cloud-based approach is taken, but are
subject to a retention period. If a messaged is hard deleted on a server, it
won't last long due to high reuse of unallocated space and frequent
compaction by the server. It will be easier to find deleted messages in host-
based archives.
14.Deleted Keys - ANSWER ✓ Deleted registry key data will remain in the
unallocated portion of a registry hive until it is overwritten. Deleted keys are
typically the result of privacy cleaners, uninstalling programs, and clearing
browser history. Deleted key data can be viewed with Registry Explorer and
can be recovered.
15.Deleted Pictures - ANSWER ✓ Thumbs.db catalogs pictures present in that
folder and stores a copy of the thumbnails. References to pictures can persist
in the database even if the pictures are later deleted. Thumbnails do not have
, to be regenerated every time a folder is browsed via Windows Explorer,
either.
16.Attachment Recovery - ANSWER ✓ Outlook uses a Secure Temp Folder to
open attachments. If an attachment is opened or previewed, they are first
saved here. You can navigate to this folder and assess the contents.
17.Encryption Key Recovery - ANSWER ✓ It is possible to recover encryption
keys from memory using a tool like, PasswareKit. You can examine a
memory image looking specifically for these encryption keys.
18.Firefox Cache - ANSWER ✓ After Firefox v32, all cached files are now
stored individually. Metadata is appened to the cached file, including
timestamps, file names and URL, and the HTTP response header from the
serving website.
19.Firefox Cookies - ANSWER ✓ Cookies are saved longer than history
information and are not as frequently deleted by users. Firefox, like Chrome,
collects all cookies into a single SQLite database.
20.Firefox History - ANSWER ✓ Firefox stores history information in a
SQLite database file called places.sqlite. This maintains more history than
IE.
21.Firefox Private Browsing - ANSWER ✓ Like Chrome, no updated are made
to the disk-based databases. Instead, all artifacts are kept in memory and do
not get written back to the default databases. Offline memory analysis can
still provide some records, due to some memory-bases artifacts that get
leaked to the disk.
22.Firefox Profiles - ANSWER ✓ A user can maintain multiple Firefox
profiles, for which you will see multiple folders within the Profiles directory
for.
23.Firefox Session Restore - ANSWER ✓ Session restore data is saved in
sessionstore.jsonlz4. This file is deleted when the browser is closed, unless
the user opts to show windows and tabs from last time. Records tab history,
, cookies, typed form data, session start, and tab metadata. It is possible to
find multiple deleted sessionstore files.
24.Firefox Sync - ANSWER ✓ Synchronization is implemented by encrypting
local data with a key, sending it to a global sync server run by Mozilla, then
other devices can authenticate to this server with a user's Firefox account,
pull down new artifacts, decrypt them locally, and then add them to relevant
databases. However, since all data on the sync server is encrypted, it is
unlikely to be a useful target. Users can choose what items they want synced
between devices.
25.Why is it important to collect volatile data during incident response -
ANSWER ✓ Information could be lost if the system is powered off or
rebooted
26.You are responding to an incident. The suspect was using his Windows
Desktop Computer with Firefox and "Private Browsing" enabled. The attack
was interrupted when it was detected, and the browser windows are still
open. What can you do to capture the most in-depth data from the suspect's
browser session - ANSWER ✓ Collect the contents of the computer's RAM
27.How is a user mapped to contents of the recycle bin? - ANSWER ✓ SID
28.How does PhotRec Recover deleted files from a host? - ANSWER ✓
Searches free space looking for file signatures that match specific file types
29.You are responding to an incident in progress on a workstation, Why is it
important to check the presence of encryption on the suspect workstation
before turning it off? - ANSWER ✓ Data on mounted volumes and
decryption keys stored as volatile data may be lost
30.How can cookies.sqlite linked to a specific user account - ANSWER ✓ The
DB file is stored in the corresponding profile folder
31.You are reviewing the contents of a Windows shortcut [.Ink file] pointing to
C:\SANS.JPG. Which of the following metadata can you expect to find? -
ANSWER ✓ The last access time of C:\SANS.JPG
ACCURATE QUESTIONS AND VERIFIED
CORRECT SOLUTIONS WITH RATIONALES
|| 100% GUARANTEED PASS
<LATEST VERSION>
1. Alternate Data Streams (ADS) - ANSWER ✓ Alternative content for a file
that exists by creating additional data pointers within the same NTFS file.
Basically the presence of a second or subsequent data stream.
Zone.Identifier is an example of an ADS.
2. AMCACHE.HVE - ANSWER ✓ Utilized for the internal application
compatibility capability that allows for Windows to run older executables
found from earlier iterations of their OS.
3. AppCompatCache - ANSWER ✓ Tracks the executable file's last
modification date, file path, and if it was executed. Windows looks at this
key to figure out if a program needs shimming for compatibility.
4. AppData Folder - ANSWER ✓ Contains custom settings and other
information needed by applications. Contains your Local, LocalLow,
Roaming folders. For example, Web browser bookmarks and cache.
5. AppID - ANSWER ✓ Each application has a unique id, but they are not
unique to the system. Used to ensure that the application's preferences are
not going to conflict with similar applications. Used in jumplists, in both
Custom and Automatic.
6. Application Log - ANSWER ✓ Records events logged by applications. ex:
failure of MS SQL to access a database
7. Audit Removable Storage - ANSWER ✓ Logs every interaction with
removable device by user.
,8. Automatic Destinations - ANSWER ✓ Contains a list of application sorted
by AppID. Can be used to map the history of the application from its first
use.
9. Autostart - ANSWER ✓ Lists the programs that run at system boot. Useful
to find malware on a machine that installs on boot, such as a rootkit.
10.Background Activity Monitor (BAM) - ANSWER ✓ This key is used in
conjunction with the DAM key to record the path of the executable and the
last date/time executed.
11.BagMRU - ANSWER ✓ Based on the keys that are here, you can tell which
directories were opened/closed during a time period.
12.Bookmarks - ANSWER ✓ Created by the user and are shortcuts to websites
that are frequently visited or saved for later. They can also contain user
account, URL, URL parameters, page title, creation date, and last used date.
13.Deleted Email Message - ANSWER ✓ Deleted messages are kept in the
archive until some form of compaction is completed. Deleted messages
might also be present in the PST file for Outlook. Deleted messages can be
found in server-based archives if a cloud-based approach is taken, but are
subject to a retention period. If a messaged is hard deleted on a server, it
won't last long due to high reuse of unallocated space and frequent
compaction by the server. It will be easier to find deleted messages in host-
based archives.
14.Deleted Keys - ANSWER ✓ Deleted registry key data will remain in the
unallocated portion of a registry hive until it is overwritten. Deleted keys are
typically the result of privacy cleaners, uninstalling programs, and clearing
browser history. Deleted key data can be viewed with Registry Explorer and
can be recovered.
15.Deleted Pictures - ANSWER ✓ Thumbs.db catalogs pictures present in that
folder and stores a copy of the thumbnails. References to pictures can persist
in the database even if the pictures are later deleted. Thumbnails do not have
, to be regenerated every time a folder is browsed via Windows Explorer,
either.
16.Attachment Recovery - ANSWER ✓ Outlook uses a Secure Temp Folder to
open attachments. If an attachment is opened or previewed, they are first
saved here. You can navigate to this folder and assess the contents.
17.Encryption Key Recovery - ANSWER ✓ It is possible to recover encryption
keys from memory using a tool like, PasswareKit. You can examine a
memory image looking specifically for these encryption keys.
18.Firefox Cache - ANSWER ✓ After Firefox v32, all cached files are now
stored individually. Metadata is appened to the cached file, including
timestamps, file names and URL, and the HTTP response header from the
serving website.
19.Firefox Cookies - ANSWER ✓ Cookies are saved longer than history
information and are not as frequently deleted by users. Firefox, like Chrome,
collects all cookies into a single SQLite database.
20.Firefox History - ANSWER ✓ Firefox stores history information in a
SQLite database file called places.sqlite. This maintains more history than
IE.
21.Firefox Private Browsing - ANSWER ✓ Like Chrome, no updated are made
to the disk-based databases. Instead, all artifacts are kept in memory and do
not get written back to the default databases. Offline memory analysis can
still provide some records, due to some memory-bases artifacts that get
leaked to the disk.
22.Firefox Profiles - ANSWER ✓ A user can maintain multiple Firefox
profiles, for which you will see multiple folders within the Profiles directory
for.
23.Firefox Session Restore - ANSWER ✓ Session restore data is saved in
sessionstore.jsonlz4. This file is deleted when the browser is closed, unless
the user opts to show windows and tabs from last time. Records tab history,
, cookies, typed form data, session start, and tab metadata. It is possible to
find multiple deleted sessionstore files.
24.Firefox Sync - ANSWER ✓ Synchronization is implemented by encrypting
local data with a key, sending it to a global sync server run by Mozilla, then
other devices can authenticate to this server with a user's Firefox account,
pull down new artifacts, decrypt them locally, and then add them to relevant
databases. However, since all data on the sync server is encrypted, it is
unlikely to be a useful target. Users can choose what items they want synced
between devices.
25.Why is it important to collect volatile data during incident response -
ANSWER ✓ Information could be lost if the system is powered off or
rebooted
26.You are responding to an incident. The suspect was using his Windows
Desktop Computer with Firefox and "Private Browsing" enabled. The attack
was interrupted when it was detected, and the browser windows are still
open. What can you do to capture the most in-depth data from the suspect's
browser session - ANSWER ✓ Collect the contents of the computer's RAM
27.How is a user mapped to contents of the recycle bin? - ANSWER ✓ SID
28.How does PhotRec Recover deleted files from a host? - ANSWER ✓
Searches free space looking for file signatures that match specific file types
29.You are responding to an incident in progress on a workstation, Why is it
important to check the presence of encryption on the suspect workstation
before turning it off? - ANSWER ✓ Data on mounted volumes and
decryption keys stored as volatile data may be lost
30.How can cookies.sqlite linked to a specific user account - ANSWER ✓ The
DB file is stored in the corresponding profile folder
31.You are reviewing the contents of a Windows shortcut [.Ink file] pointing to
C:\SANS.JPG. Which of the following metadata can you expect to find? -
ANSWER ✓ The last access time of C:\SANS.JPG
