SANS 500 EXAM QUESTIONS &
ANSWERS 100% SOLVED!!
Alternate Data Streams (ADS) - ANSWERSAlternative content for a file that exists by
creating additional data pointers within the same NTFS file. Basically the presence of a
second or subsequent data stream. Zone.Identifier is an example of an ADS.
AMCACHE.HVE - ANSWERSUtilized for the internal application compatibility capability
that allows for Windows to run older executables found from earlier iterations of their
OS.
AppCompatCache - ANSWERSTracks the executable file's last modification date, file
path, and if it was executed. Windows looks at this key to figure out if a program needs
shimming for compatibility.
AppData Folder - ANSWERSContains custom settings and other information needed by
applications. Contains your Local, LocalLow, Roaming folders. For example, Web
browser bookmarks and cache.
AppID - ANSWERSEach application has a unique id, but they are not unique to the
system. Used to ensure that the application's preferences are not going to conflict with
similar applications. Used in jumplists, in both Custom and Automatic.
Application Log - ANSWERSRecords events logged by applications. ex: failure of MS
SQL to access a database
Audit Removable Storage - ANSWERSLogs every interaction with removable device by
user.
Automatic Destinations - ANSWERSContains a list of application sorted by AppID. Can
be used to map the history of the application from its first use.
Autostart - ANSWERSLists the programs that run at system boot. Useful to find
malware on a machine that installs on boot, such as a rootkit.
Background Activity Monitor (BAM) - ANSWERSThis key is used in conjunction with the
DAM key to record the path of the executable and the last date/time executed.
BagMRU - ANSWERSBased on the keys that are here, you can tell which directories
were opened/closed during a time period.
, Bookmarks - ANSWERSCreated by the user and are shortcuts to websites that are
frequently visited or saved for later. They can also contain user account, URL, URL
parameters, page title, creation date, and last used date.
Browser Forensics - ANSWERSHistory files, browser cache, and cookies make up the
bulk of browser artifacts. You can find the websites a user visited and how many times
they visited and when, saved websites, downloaded files, usernames, and what the
user searched for.
BSSID - ANSWERS(Basic Service Set ID) the MAC address of a base station, used to
identify it to host stations.
Compliance Search - ANSWERSPowershell cmdlet used for eDiscovery for nearly any
kind of search.
Connected Standby - ANSWERSIn Windows 8, systems with a SSD could take
advantage of this new low-power mode. Was expanded upon in Windows 10 with
Modern Standby.
CurrentControlSet - ANSWERSIdentifies which control set is considered the Current
one. Contains system config settings needed to control system boot, like the driver and
service information. ControlSet001 is typically the set you just booted into the computer
with. It is usually the most up to date. ControlSet002 is the "Last Known Good" version,
if something drastic happened.
Custom Destinations - ANSWERSCreated by each application and there is custom.
Intended to present content that the application has deemed significant based on either
previous usage of the app or through an action that has indicated that an item is of
importance to the user.
Data Stream Carving - ANSWERSThe carving of small fragments of a file, not the whole
file. Fragments can be pulled from memory, unallocated space, and allocated database
files. Ex: URLs, chat sessions, emails, encryption keys,...
DEAD System - Memory Acquisition - ANSWERSYou can analysis the hiberfil.sys by
copying it from the root of the system drive. memory.dmp is a crash dump file that can
also be used if a full crash dump was taken. pagefile.sys is not a complete copy of
RAM, but can still provide parts of memory that were paged out to disk.
Desktop Activity Monitor (DAM) - ANSWERSUsed in conjunction with the BAM key to
record the path of the executable and the last date/time executed. The DAM is present
on system that have Connected Standby present.
DOMStore - ANSWERSThis is where Web Store files are stored in IE/Edge. Set up in a
similar fashion to cache. WebCacheV*.dat file manages the DOMStore filenames and
ANSWERS 100% SOLVED!!
Alternate Data Streams (ADS) - ANSWERSAlternative content for a file that exists by
creating additional data pointers within the same NTFS file. Basically the presence of a
second or subsequent data stream. Zone.Identifier is an example of an ADS.
AMCACHE.HVE - ANSWERSUtilized for the internal application compatibility capability
that allows for Windows to run older executables found from earlier iterations of their
OS.
AppCompatCache - ANSWERSTracks the executable file's last modification date, file
path, and if it was executed. Windows looks at this key to figure out if a program needs
shimming for compatibility.
AppData Folder - ANSWERSContains custom settings and other information needed by
applications. Contains your Local, LocalLow, Roaming folders. For example, Web
browser bookmarks and cache.
AppID - ANSWERSEach application has a unique id, but they are not unique to the
system. Used to ensure that the application's preferences are not going to conflict with
similar applications. Used in jumplists, in both Custom and Automatic.
Application Log - ANSWERSRecords events logged by applications. ex: failure of MS
SQL to access a database
Audit Removable Storage - ANSWERSLogs every interaction with removable device by
user.
Automatic Destinations - ANSWERSContains a list of application sorted by AppID. Can
be used to map the history of the application from its first use.
Autostart - ANSWERSLists the programs that run at system boot. Useful to find
malware on a machine that installs on boot, such as a rootkit.
Background Activity Monitor (BAM) - ANSWERSThis key is used in conjunction with the
DAM key to record the path of the executable and the last date/time executed.
BagMRU - ANSWERSBased on the keys that are here, you can tell which directories
were opened/closed during a time period.
, Bookmarks - ANSWERSCreated by the user and are shortcuts to websites that are
frequently visited or saved for later. They can also contain user account, URL, URL
parameters, page title, creation date, and last used date.
Browser Forensics - ANSWERSHistory files, browser cache, and cookies make up the
bulk of browser artifacts. You can find the websites a user visited and how many times
they visited and when, saved websites, downloaded files, usernames, and what the
user searched for.
BSSID - ANSWERS(Basic Service Set ID) the MAC address of a base station, used to
identify it to host stations.
Compliance Search - ANSWERSPowershell cmdlet used for eDiscovery for nearly any
kind of search.
Connected Standby - ANSWERSIn Windows 8, systems with a SSD could take
advantage of this new low-power mode. Was expanded upon in Windows 10 with
Modern Standby.
CurrentControlSet - ANSWERSIdentifies which control set is considered the Current
one. Contains system config settings needed to control system boot, like the driver and
service information. ControlSet001 is typically the set you just booted into the computer
with. It is usually the most up to date. ControlSet002 is the "Last Known Good" version,
if something drastic happened.
Custom Destinations - ANSWERSCreated by each application and there is custom.
Intended to present content that the application has deemed significant based on either
previous usage of the app or through an action that has indicated that an item is of
importance to the user.
Data Stream Carving - ANSWERSThe carving of small fragments of a file, not the whole
file. Fragments can be pulled from memory, unallocated space, and allocated database
files. Ex: URLs, chat sessions, emails, encryption keys,...
DEAD System - Memory Acquisition - ANSWERSYou can analysis the hiberfil.sys by
copying it from the root of the system drive. memory.dmp is a crash dump file that can
also be used if a full crash dump was taken. pagefile.sys is not a complete copy of
RAM, but can still provide parts of memory that were paged out to disk.
Desktop Activity Monitor (DAM) - ANSWERSUsed in conjunction with the BAM key to
record the path of the executable and the last date/time executed. The DAM is present
on system that have Connected Standby present.
DOMStore - ANSWERSThis is where Web Store files are stored in IE/Edge. Set up in a
similar fashion to cache. WebCacheV*.dat file manages the DOMStore filenames and
