Download SANS 500 EXAM LATEST EXAM 2025 | ALL QUESTIONS AND CORRECT ANSWERS (VERIFIED ANSWERS) and more Exams Cybercrime, Cybersecurity and Data Privacy in PDF only on Docsity!
SANS 500 EXAM LATEST EXAM 2025 | ALL
QUESTIONS AND CORRECT ANSWERS
(VERIFIED ANSWERS) | LATEST EXAM |
JUST RELEASED | GRADED A+
When examining an Event log using Microsoft Event Viewer, an event informs you that disk space is low on the system. What type of event is this? ---------CORRECT ANSWER-----------------Warning For a live system, when should logical imaging be used instead of physical imaging? ---------CORRECT ANSWER-----------------When the hard drive is encrypted What Windows 10 artifact maintains over 30 days of user activity for hosts with a minimum build version of 1803? ---------CORRECT ANSWER---------- -------ActivitiesCache.db A user decides to clear their history through privacy settings in a Chronium- based browser. Which data remains on the system if the user clears all browsing history? ---------CORRECT ANSWER-----------------Media History Which registry subkey can show that a specific user is aware that an application existed on their host and that the user configured the host to keep the application present on the taskbar? ---------CORRECT ANSWER-- ---------------AppLaunch
Which event will create a new directory in C:\System Volume Information? ---------CORRECT ANSWER-----------------Sector-level scan of the drive What info can be deduced from the following artifact? System\CurrentControlSet\Sevices\Tcpip\Parameters\Interfaces --------- CORRECT ANSWER-----------------The first and last time a specific network connection was made You are examining the contents of a Windows Shortcut(.INK file) pointing to C:\Sans.JPG. Which of the following metadata can you expect to find? ------ ---CORRECT ANSWER-----------------The last acces time of C:\SANS.JPG An analyst is collecting Skype logs from a Windows 10 host. What directory should he copy? ---------CORRECT ANSWER----------------- C:\Users<user>\AppData\Roaming\Skype<skype-name> Which of the following artifacts can indicate that a file was downloaded from the internet using internet explorer ---------CORRECT ANSWER--------- --------Zone.identifier What do the values in RecentDocs sub-key MRU indicate --------- CORRECT ANSWER-----------------Order in which files were opene Which of the following actions could lead to out-of-sequence events in the Windows security log? ---------CORRECT ANSWER-----------------Modifying the system time during malicious activity
You are responding to an incident in progress on a workstation, Why is it important to check the presence of encryption on the suspect workstation before turning it off? ---------CORRECT ANSWER-----------------Data on mounted volumes and decryption keys stored as volatile data may be lost How can cookies.sqlite linked to a specific user account ---------CORRECT ANSWER-----------------The DB file is stored in the corresponding profile folder You are reviewing the contents of a Windows shortcut [.Ink file] pointing to C:\SANS.JPG. Which of the following metadata can you expect to find? ---- -----CORRECT ANSWER-----------------The last access time of C:\SANS.JPG Which of the following must you remember when reviewing Windows registry data in your timeline ---------CORRECT ANSWER----------------- Registry keys store only a 'LastWrite' time stamp and do not indicate when they were created, accessed or deleted What information can be deduced by the following artifact? System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces --------- CORRECT ANSWER-----------------If an interface GUID was used to connect to the internet over 3G Which part of the LNK file reveals the shell path to the target file --------- CORRECT ANSWER-----------------PIDL - The PIDL section of a LNK file, follow the header, it contains a shell path (a PIDL0 to the target file
In addition to the Web Notes Folder, which location contains Web Notes browser artifacts? ---------CORRECT ANSWER-----------------Spartan.edb Which event will create a new directory in C:\System Volume Information? ---------CORRECT ANSWER-----------------Software installation. There are several ways to create a new volume shadow copy - Software installation, System snapshot, Manual snapshot You are examining an image of a Windows system. In the C:\Windows\Prefetch directory you find an entry for "EvilBin.Exe". Assuming the file was legitimately created by the operating system, what does this file's existence mean to you, as the forensic investigator? --------- CORRECT ANSWER-----------------EvilBin.Exe has been run at least once on this system What does the unique GUID assigned to each sub-key of the UserAssist registry entry represent? ---------CORRECT ANSWER-----------------Method used to execute and application Which is the advantage offered by server-based e-mail forensic tools when compared to standard forensic suites? ---------CORRECT ANSWER---------- -------They allow simultaneous searches across multiple user accounts Which Windows 7 event log records installation and update information for Windows security updates and patches ---------CORRECT ANSWER--------- --------Setup.log records installation and update information on all applications
What is the minimum level of access a user would need to modify the system time on a Windows 10 workstation ---------CORRECT ANSWER----- ------------Administrator An investigation involves a Windows user who is alleged to have violated Internet-use policy. The user uninstalled Firefox in order to hide their activity. Which approach can recover browser artifacts? ---------CORRECT ANSWER-----------------Analyze places.sqlite What can be determined by analyzing any subkeys and their value(s) in the following path? Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\Co nsentStorage<redacted>\NonPackaged ---------CORRECT ANSWER-------- ---------The last time the Zoom application started the webcam You have been tasked with examining a .OST file as part of an investigation. Which of the following is the best way to review content in the file? ---------CORRECT ANSWER-----------------Run the free tool ost2pst.exe and convert to a .PST file, then open in Microsoft Outlook. Which of the following occurs while using InPrivate mode of the Edge broswer ---------CORRECT ANSWER-----------------Persistent cookies are stored in temporary memory like session cookies until the session ends. Which files inside of the Windows Vista/Win 7 recycle bin contain the actual file recovery data for a deleted file ---------CORRECT ANSWER----------------
- $R Note: $I contain the original path and name as well the delete date and time
Which Windows 7 event log would be most likely to contain information regarding a third-party anti-virus program's deletion of malicious software on a system? ---------CORRECT ANSWER-----------------Application log Which of the following Types of info. can be found in the Firefox cache? ---- -----CORRECT ANSWER-----------------The HTTP header from a visited website Which of the following occurs to the space in the Windows registry when a key is deleted? ---------CORRECT ANSWER-----------------Unallocated and freed up for new data Which of the following is metadata? ---------CORRECT ANSWER-------------- ---Cryptographic hash of a binary file For which scenario should an analyst use the following command? ps C:> esentutl.exe /mh .\Windows.edb ---------CORRECT ANSWER----------------- To determine if the ESE database is corrupt When examining event logs for a computer, you see an event that states that the Event Log Service was started. What sort of Event is this? --------- CORRECT ANSWER-----------------Information Which of the following artifacts can give the first time and last time a text file was opened? ---------CORRECT ANSWER-----------------LNK files
Moe is preparing to examine the Windows 'windows.edb' with esentutl and discovered that the latest log files have not been included in the database. What can he do to ensure he is analysing the most current data? --------- CORRECT ANSWER-----------------Recover the database What do the values in the RecentDocs sub-key MRU indicate --------- CORRECT ANSWER-----------------"Opened On" time stamp of the last 150 items Where can a forensic analyst find name changes for the cloud-only Drop box files? ---------CORRECT ANSWER-----------------nucleus.sqlite How can cookies be useful to an investigation ---------CORRECT ANSWER-----------------They can be used to identify Internet activity on a system A user installs an instance messaging app on a company system. He is unaware that the app is configured to log chat history. Where would an investigator expect to locate the directories for the log files? --------- CORRECT ANSWER-----------------Allocated space Which Registry key lists services that start at boot? ---------CORRECT ANSWER-----------------System\CurrentControlSet\Services Alternate Data Streams (ADS) ---------CORRECT ANSWER----------------- Alternative content for a file that exists by creating additional data pointers
within the same NTFS file. Basically the presence of a second or subsequent data stream. Zone.Identifier is an example of an ADS. AMCACHE.HVE ---------CORRECT ANSWER-----------------Utilized for the internal application compatibility capability that allows for Windows to run older executables found from earlier iterations of their OS. AppCompatCache ---------CORRECT ANSWER-----------------Tracks the executable file's last modification date, file path, and if it was executed. Windows looks at this key to figure out if a program needs shimming for compatibility. AppData Folder ---------CORRECT ANSWER-----------------Contains custom settings and other information needed by applications. Contains your Local, LocalLow, Roaming folders. For example, Web browser bookmarks and cache. AppID ---------CORRECT ANSWER-----------------Each application has a unique id, but they are not unique to the system. Used to ensure that the application's preferences are not going to conflict with similar applications. Used in jumplists, in both Custom and Automatic. Application Log ---------CORRECT ANSWER-----------------Records events logged by applications. ex: failure of MS SQL to access a database Audit Removable Storage ---------CORRECT ANSWER-----------------Logs every interaction with removable device by user.
BSSID ---------CORRECT ANSWER-----------------(Basic Service Set ID) the MAC address of a base station, used to identify it to host stations. Compliance Search ---------CORRECT ANSWER-----------------Powershell cmdlet used for eDiscovery for nearly any kind of search. Connected Standby ---------CORRECT ANSWER-----------------In Windows 8, systems with a SSD could take advantage of this new low-power mode. Was expanded upon in Windows 10 with Modern Standby. CurrentControlSet ---------CORRECT ANSWER-----------------Identifies which control set is considered the Current one. Contains system config settings needed to control system boot, like the driver and service information. ControlSet001 is typically the set you just booted into the computer with. It is usually the most up to date. ControlSet002 is the "Last Known Good" version, if something drastic happened. Custom Destinations ---------CORRECT ANSWER-----------------Created by each application and there is custom. Intended to present content that the application has deemed significant based on either previous usage of the app or through an action that has indicated that an item is of importance to the user. Data Stream Carving ---------CORRECT ANSWER-----------------The carving of small fragments of a file, not the whole file. Fragments can be pulled from memory, unallocated space, and allocated database files. Ex: URLs, chat sessions, emails, encryption keys,...
DEAD System - Memory Acquisition ---------CORRECT ANSWER------------- ----You can analysis the hiberfil.sys by copying it from the root of the system drive. memory.dmp is a crash dump file that can also be used if a full crash dump was taken. pagefile.sys is not a complete copy of RAM, but can still provide parts of memory that were paged out to disk. Desktop Activity Monitor (DAM) ---------CORRECT ANSWER----------------- Used in conjunction with the BAM key to record the path of the executable and the last date/time executed. The DAM is present on system that have Connected Standby present. DOMStore ---------CORRECT ANSWER-----------------This is where Web Store files are stored in IE/Edge. Set up in a similar fashion to cache. WebCacheV*.dat file manages the DOMStore filenames and the owning sites. It includes creation and last access timestamps for Web Storage artifacts. Exchange Database (EDB) ---------CORRECT ANSWER----------------- Container for user Microsoft Exchange mailboxes. Stored in ESE format. Email Header ---------CORRECT ANSWER-----------------Required component. Provides the envelope that a message relies on for getting it to the destination. Only completely reliable information from the Mail Transfer Agent that you own or trust. EMDMgmt - --------CORRECT ANSWER-----------------Traditionally used for ReadyBoost to remember whether it passed inspection. Each key in it provides the USB device manufacturer, ID, Serial Number, Volume Name, and Volume Serial Number.
HKEY_CLASSES_ROOT ---------CORRECT ANSWER-----------------
Includes information about which filename extensions map to particular applications. HKEY_CURRENT_USER ---------CORRECT ANSWER-----------------Stores settings that concern the current logged on user. HKEY_LOCAL_MACHINE ---------CORRECT ANSWER----------------- Contains the majority of the configuration information for the software / hardware you have installed and for the OS itself. HKEY_USERS ---------CORRECT ANSWER-----------------Stores data corresponding to all users who have ever logged on to the computer. Cloud-Based Email ---------CORRECT ANSWER-----------------All email has been located on an email server, but if the email resides on the server rather than locally on the workstation, then it is cloud-based. Most corporate environments employ dedicated mail servers. Host-Based Email ---------CORRECT ANSWER-----------------Any email archive stored locally on a computer, independent of an email server. Typically uses an index file that acts as a table of contents and stores metadata. A separate message store houses the email messages themselves.
Image Mounting ---------CORRECT ANSWER-----------------The benefit to mounting images is that it is seen as a mounted filesystem, so you can interact with files with their native or associated application, run antivirus and malware detection, share with remote computers, and copy files out of the image. It is also forensically sound. Index.dat ---------CORRECT ANSWER-----------------Prior to IE10, index.dat files were used to store metadata for browser history, cache, cookies, and download history. Journaling ---------CORRECT ANSWER-----------------A filesystem function that makes use of a log file to track changes to the metadata to track the state and integrity of the filesystem at all times. Jumplist ---------CORRECT ANSWER-----------------Allows users to jump to items they frequent. These are the icons you see if you right click on an app in the taskbar. Provides another location to verify the opening and/or creation of non-executable files. Helps identify wiped/deleted files had existed at one point. LastVisitedMRU ---------CORRECT ANSWER-----------------Tracks the specific executable used by an application to open the files documented in the OpenSaveMRU key. Each value also tracks the directory location for the last file that was accessed by that application. This is how OpenSave dialog box shows where you last opened a file from. Layout.ini ---------CORRECT ANSWER-----------------Contains the original path names of the files located in the Prefetch
Message Tracing ---------CORRECT ANSWER-----------------Log recording a wealth of details about sent and received messages in the organization. Message-ID ---------CORRECT ANSWER-----------------Provided by the originating mail server and consists of a unique ID appended to the server name with an @ symbol. Similar to a tracking number. Master File Table (MFT) ---------CORRECT ANSWER-----------------NTFS uses this database to store a link to files. It contains information about access rights, date and time stamps, system attributes, and other information about files. Makes up the first section of the disk. MFU ---------CORRECT ANSWER-----------------Closely associated with MRU. MIME ---------CORRECT ANSWER-----------------End-to-End protocol and enables users to digitally sign and encrypt messages. Most common type of encryption encountered in emails. Typically encodes email attachments too. Mobile Email ---------CORRECT ANSWER-----------------Many smartphones are synced to a corporate mail server and maintain only copies of emails. The device could have messages on it that would be difficult to get elsewhere. Consider MDM as well. Modern Standby (MS) ---------CORRECT ANSWER-----------------Makes computers operate more like mobile devices by delivering low-power
consumption and enables low-power communications (Wi-Fi, mobile broadband, and Ethernet) to receive essential communication while reducing the time for the computer to wake and be fully operational. This extends the life of RAM information beyond reboot and even extended powered-off states because RAM is being saved to the hibernation file. Improves upon Connected Standby. MountedDevices ---------CORRECT ANSWER-----------------This key is important to tracking physical devices plugged into the Windows OS because it incorporates the drive signature and the partition location into the key. MRU / MRULists ---------CORRECT ANSWER-----------------Key values that are responsible for keeping track of the most recent additions to a registry key so the key data can determine the order in which the data was added to the key. This will aid in determining the order of activity for a specific artifact and prove user interaction. They are responsible for the drop-down menus that appear whenever you type something in Internet Explorer, keywords, and other terms in the auto-complete feature. Mass Storage Class (MSC) ---------CORRECT ANSWER----------------- Allows mounting of a device's storage area as removable media and provides direct access to sectors of data for reading and writing. The mounting occurs on a physical level. Primarily where intellectual property theft occurs. Ex: external drives, USB drives, MP3 players Picture Transfer Protocol (PTP) ---------CORRECT ANSWER----------------- Only deals with images, videos, and their associated metadata. Does not provide support for transferring other file types. Allows only a unidirectional transfer of files (from the device to the computer). Mounting occurs on a logical level, meaning you cannot see the underlying filesystem structure for the devices. Ex: Cameras, scanners, printers
