SANS 500 REAL EXAM PRACTICE QUESTIONS
WITH VERIFIED SOLUTIONS GRADED A+
You are reviewing the contents of a Windows shortcut [.Ink file]
pointing to C:\SANS.JPG. Which of the following metadata can you
expect to find?
The last access time of C:\SANS.JPG
Which of the following must you remember when reviewing
Windows registry data in your timeline
Registry keys store only a 'LastWrite' time stamp and do not indicate
when they were created, accessed or deleted
What information can be deduced by the following artifact?
System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
If an interface GUID was used to connect to the internet over 3G
Which part of the LNK file reveals the shell path to the target file
Page 1 of 52
,PIDL - The PIDL section of a LNK file, follow the header, it contains
a shell path (a PIDL0 to the target file
In addition to the Web Notes Folder, which location contains Web
Notes browser artifacts?
Spartan.edb
Which event will create a new directory in C:\System Volume
Information\?
Software installation. There are several ways to create a new volume
shadow copy - Software installation, System snapshot, Manual
snapshot
You are examining an image of a Windows system. In the
C:\Windows\Prefetch directory you find an entry for "EvilBin.Exe".
Assuming the file was legitimately created by the operating system,
what does this file's existence mean to you, as the forensic
investigator?
EvilBin.Exe has been run at least once on this system
Page 2 of 52
,What does the unique GUID assigned to each sub-key of the
UserAssist registry entry represent?
Method used to execute and application
Why is it important to collect volatile data during incident response
Information could be lost if the system is powered off or rebooted
You are responding to an incident. The suspect was using his
Windows Desktop Computer with Firefox and "Private Browsing"
enabled. The attack was interrupted when it was detected, and the
browser windows are still open. What can you do to capture the most
in-depth data from the suspect's browser session
Collect the contents of the computer's RAM
How is a user mapped to contents of the recycle bin?
SID
Page 3 of 52
, How does PhotRec Recover deleted files from a host?
Searches free space looking for file signatures that match specific file
types
You are responding to an incident in progress on a workstation, Why
is it important to check the presence of encryption on the suspect
workstation before turning it off?
Data on mounted volumes and decryption keys stored as volatile data
may be lost
How can cookies.sqlite linked to a specific user account
The DB file is stored in the corresponding profile folder
Which is the advantage offered by server-based e-mail forensic tools
when compared to standard forensic suites?
They allow simultaneous searches across multiple user accounts
Page 4 of 52
WITH VERIFIED SOLUTIONS GRADED A+
You are reviewing the contents of a Windows shortcut [.Ink file]
pointing to C:\SANS.JPG. Which of the following metadata can you
expect to find?
The last access time of C:\SANS.JPG
Which of the following must you remember when reviewing
Windows registry data in your timeline
Registry keys store only a 'LastWrite' time stamp and do not indicate
when they were created, accessed or deleted
What information can be deduced by the following artifact?
System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
If an interface GUID was used to connect to the internet over 3G
Which part of the LNK file reveals the shell path to the target file
Page 1 of 52
,PIDL - The PIDL section of a LNK file, follow the header, it contains
a shell path (a PIDL0 to the target file
In addition to the Web Notes Folder, which location contains Web
Notes browser artifacts?
Spartan.edb
Which event will create a new directory in C:\System Volume
Information\?
Software installation. There are several ways to create a new volume
shadow copy - Software installation, System snapshot, Manual
snapshot
You are examining an image of a Windows system. In the
C:\Windows\Prefetch directory you find an entry for "EvilBin.Exe".
Assuming the file was legitimately created by the operating system,
what does this file's existence mean to you, as the forensic
investigator?
EvilBin.Exe has been run at least once on this system
Page 2 of 52
,What does the unique GUID assigned to each sub-key of the
UserAssist registry entry represent?
Method used to execute and application
Why is it important to collect volatile data during incident response
Information could be lost if the system is powered off or rebooted
You are responding to an incident. The suspect was using his
Windows Desktop Computer with Firefox and "Private Browsing"
enabled. The attack was interrupted when it was detected, and the
browser windows are still open. What can you do to capture the most
in-depth data from the suspect's browser session
Collect the contents of the computer's RAM
How is a user mapped to contents of the recycle bin?
SID
Page 3 of 52
, How does PhotRec Recover deleted files from a host?
Searches free space looking for file signatures that match specific file
types
You are responding to an incident in progress on a workstation, Why
is it important to check the presence of encryption on the suspect
workstation before turning it off?
Data on mounted volumes and decryption keys stored as volatile data
may be lost
How can cookies.sqlite linked to a specific user account
The DB file is stored in the corresponding profile folder
Which is the advantage offered by server-based e-mail forensic tools
when compared to standard forensic suites?
They allow simultaneous searches across multiple user accounts
Page 4 of 52
