SANS 500 ACTUAL EXAM NEWEST 2025 COMPLETE 200 QUESTIONS
AND CORRECT DETAILED ANSWERS (VERIFIED ANSWERS) |ALREADY
GRADED A+||BRAND NEW VERSION!!
Layout.ini - CORRECT ANSWERS-Contains the original path names of the files located in the
Prefetch
Local Security Authority Subsystem Service (LSASS) - CORRECT ANSWERS-Responsible for
enforcing the security policy on the system
Low (Low Folder) - CORRECT ANSWERS-A duplicate set of directories is necessary to store
files form unprivileged use, since not all activities using the browser are unprivileged. Most of our
internet usage should be found in the low folders.
Mail Transfer Agent (MTA) - CORRECT ANSWERS-Formal name for mail server software
Extended MAPI Headers - CORRECT ANSWERS-Core component of Exchange and Outlook
messaging architecture. Significantly increases email header properties by adding additional timestamps,
unique identifiers, and information on actions taken on the message itself.
Master Boot Record (MBR) - CORRECT ANSWERS-The first sector on a hard drive, which
contains the partition table and a program the BIOS uses to boot an OS from the drive.
Memory Aquisition - CORRECT ANSWERS-Necessary to acquire volatile data. Without a
memory image, there is a little chance to bypass whole disk encryption. This is where a massive amount
of useful user-attributed data lives. You can find running processes, open files, encryption keys and
passwords, network connections, configuration parameters, and memory-only exploits / rootkits.
Background Activity Monitor (BAM) - CORRECT ANSWERS-This key is used in conjunction with
the DAM key to record the path of the executable and the last date/time executed.
,BagMRU - CORRECT ANSWERS-Based on the keys that are here, you can tell which directories
were opened/closed during a time period.
Bookmarks - CORRECT ANSWERS-Created by the user and are shortcuts to websites that are
frequently visited or saved for later. They can also contain user account, URL, URL parameters, page title,
creation date, and last used date.
Browser Forensics - CORRECT ANSWERS-History files, browser cache, and cookies make up
the bulk of browser artifacts. You can find the websites a user visited and how many times they visited
and when, saved websites, downloaded files, usernames, and what the user searched for.
BSSID - CORRECT ANSWERS-(Basic Service Set ID) the MAC address of a base station, used to
identify it to host stations.
Compliance Search - CORRECT ANSWERS-Powershell cmdlet used for eDiscovery for nearly
any kind of search.
Connected Standby - CORRECT ANSWERS-In Windows 8, systems with a SSD could take
advantage of this new low-power mode. Was expanded upon in Windows 10 with Modern Standby.
CurrentControlSet - CORRECT ANSWERS-Identifies which control set is considered the Current
one. Contains system config settings needed to control system boot, like the driver and service
information. ControlSet001 is typically the set you just booted into the computer with. It is usually the
most up to date. ControlSet002 is the "Last Known Good" version, if something drastic happened.
Custom Destinations - CORRECT ANSWERS-Created by each application and there is custom.
Intended to present content that the application has deemed significant based on either previous usage
of the app or through an action that has indicated that an item is of importance to the user.
Data Stream Carving - CORRECT ANSWERS-The carving of small fragments of a file, not the
whole file. Fragments can be pulled from memory, unallocated space, and allocated database files. Ex:
URLs, chat sessions, emails, encryption keys,...
, DEAD System - Memory Acquisition - CORRECT ANSWERS-You can analysis the hiberfil.sys by
copying it from the root of the system drive. memory.dmp is a crash dump file that can also be used if a
full crash dump was taken. pagefile.sys is not a complete copy of RAM, but can still provide parts of
memory that were paged out to disk.
Desktop Activity Monitor (DAM) - CORRECT ANSWERS-Used in conjunction with the BAM key
to record the path of the executable and the last date/time executed. The DAM is present on system that
have Connected Standby present.
DOMStore - CORRECT ANSWERS-This is where Web Store files are stored in IE/Edge. Set up in
a similar fashion to cache. WebCacheV*.dat file manages the DOMStore filenames and the owning sites.
It includes creation and last access timestamps for Web Storage artifacts.
Exchange Database (EDB) - CORRECT ANSWERS-Container for user Microsoft Exchange
mailboxes. Stored in ESE format.
Email Header - CORRECT ANSWERS-Required component. Provides the envelope that a
message relies on for getting it to the destination. Only completely reliable information from the Mail
Transfer Agent that you own or trust.
EMDMgmt - CORRECT ANSWERS-Traditionally used for ReadyBoost to remember whether it
passed inspection. Each key in it provides the USB device manufacturer, ID, Serial Number, Volume
Name, and Volume Serial Number.
ESE Database - CORRECT ANSWERS-A proprietary Microsoft database format. Can be broken
up into multiple storage groups, each able to contain multiple database files.
Exif Data - CORRECT ANSWERS-Also called metadata, this is information electronically
attached to each image file, such as shutter speed, aperture, ISO, lens length, white balance, and other
settings used when taking the picture.
File Carving - CORRECT ANSWERS-The process of recovering intact files from memory or
unallocated space. It is done by scanning for known file headers at cluster boundaries and carve a file
out based on a "predicted" length or until a known footer is found. Generally results in a lot of false
positives.
AND CORRECT DETAILED ANSWERS (VERIFIED ANSWERS) |ALREADY
GRADED A+||BRAND NEW VERSION!!
Layout.ini - CORRECT ANSWERS-Contains the original path names of the files located in the
Prefetch
Local Security Authority Subsystem Service (LSASS) - CORRECT ANSWERS-Responsible for
enforcing the security policy on the system
Low (Low Folder) - CORRECT ANSWERS-A duplicate set of directories is necessary to store
files form unprivileged use, since not all activities using the browser are unprivileged. Most of our
internet usage should be found in the low folders.
Mail Transfer Agent (MTA) - CORRECT ANSWERS-Formal name for mail server software
Extended MAPI Headers - CORRECT ANSWERS-Core component of Exchange and Outlook
messaging architecture. Significantly increases email header properties by adding additional timestamps,
unique identifiers, and information on actions taken on the message itself.
Master Boot Record (MBR) - CORRECT ANSWERS-The first sector on a hard drive, which
contains the partition table and a program the BIOS uses to boot an OS from the drive.
Memory Aquisition - CORRECT ANSWERS-Necessary to acquire volatile data. Without a
memory image, there is a little chance to bypass whole disk encryption. This is where a massive amount
of useful user-attributed data lives. You can find running processes, open files, encryption keys and
passwords, network connections, configuration parameters, and memory-only exploits / rootkits.
Background Activity Monitor (BAM) - CORRECT ANSWERS-This key is used in conjunction with
the DAM key to record the path of the executable and the last date/time executed.
,BagMRU - CORRECT ANSWERS-Based on the keys that are here, you can tell which directories
were opened/closed during a time period.
Bookmarks - CORRECT ANSWERS-Created by the user and are shortcuts to websites that are
frequently visited or saved for later. They can also contain user account, URL, URL parameters, page title,
creation date, and last used date.
Browser Forensics - CORRECT ANSWERS-History files, browser cache, and cookies make up
the bulk of browser artifacts. You can find the websites a user visited and how many times they visited
and when, saved websites, downloaded files, usernames, and what the user searched for.
BSSID - CORRECT ANSWERS-(Basic Service Set ID) the MAC address of a base station, used to
identify it to host stations.
Compliance Search - CORRECT ANSWERS-Powershell cmdlet used for eDiscovery for nearly
any kind of search.
Connected Standby - CORRECT ANSWERS-In Windows 8, systems with a SSD could take
advantage of this new low-power mode. Was expanded upon in Windows 10 with Modern Standby.
CurrentControlSet - CORRECT ANSWERS-Identifies which control set is considered the Current
one. Contains system config settings needed to control system boot, like the driver and service
information. ControlSet001 is typically the set you just booted into the computer with. It is usually the
most up to date. ControlSet002 is the "Last Known Good" version, if something drastic happened.
Custom Destinations - CORRECT ANSWERS-Created by each application and there is custom.
Intended to present content that the application has deemed significant based on either previous usage
of the app or through an action that has indicated that an item is of importance to the user.
Data Stream Carving - CORRECT ANSWERS-The carving of small fragments of a file, not the
whole file. Fragments can be pulled from memory, unallocated space, and allocated database files. Ex:
URLs, chat sessions, emails, encryption keys,...
, DEAD System - Memory Acquisition - CORRECT ANSWERS-You can analysis the hiberfil.sys by
copying it from the root of the system drive. memory.dmp is a crash dump file that can also be used if a
full crash dump was taken. pagefile.sys is not a complete copy of RAM, but can still provide parts of
memory that were paged out to disk.
Desktop Activity Monitor (DAM) - CORRECT ANSWERS-Used in conjunction with the BAM key
to record the path of the executable and the last date/time executed. The DAM is present on system that
have Connected Standby present.
DOMStore - CORRECT ANSWERS-This is where Web Store files are stored in IE/Edge. Set up in
a similar fashion to cache. WebCacheV*.dat file manages the DOMStore filenames and the owning sites.
It includes creation and last access timestamps for Web Storage artifacts.
Exchange Database (EDB) - CORRECT ANSWERS-Container for user Microsoft Exchange
mailboxes. Stored in ESE format.
Email Header - CORRECT ANSWERS-Required component. Provides the envelope that a
message relies on for getting it to the destination. Only completely reliable information from the Mail
Transfer Agent that you own or trust.
EMDMgmt - CORRECT ANSWERS-Traditionally used for ReadyBoost to remember whether it
passed inspection. Each key in it provides the USB device manufacturer, ID, Serial Number, Volume
Name, and Volume Serial Number.
ESE Database - CORRECT ANSWERS-A proprietary Microsoft database format. Can be broken
up into multiple storage groups, each able to contain multiple database files.
Exif Data - CORRECT ANSWERS-Also called metadata, this is information electronically
attached to each image file, such as shutter speed, aperture, ISO, lens length, white balance, and other
settings used when taking the picture.
File Carving - CORRECT ANSWERS-The process of recovering intact files from memory or
unallocated space. It is done by scanning for known file headers at cluster boundaries and carve a file
out based on a "predicted" length or until a known footer is found. Generally results in a lot of false
positives.
