SANS 500 UPDATED ACTUAL Exam
Questions and CORRECT Answers
Why is it important to collect volatile data during incident response - CORRECT
ANSWER - Information could be lost if the system is powered off or rebooted
You are responding to an incident. The suspect was using his Windows Desktop Computer with
Firefox and "Private Browsing" enabled. The attack was interrupted when it was detected, and
the browser windows are still open. What can you do to capture the most in-depth data from the
suspect's browser session - CORRECT ANSWER - Collect the contents of the computer's
RAM
How is a user mapped to contents of the recycle bin? - CORRECT ANSWER - SID
How does PhotRec Recover deleted files from a host? - CORRECT ANSWER - Searches
free space looking for file signatures that match specific file types
You are responding to an incident in progress on a workstation, Why is it important to check the
presence of encryption on the suspect workstation before turning it off? - CORRECT
ANSWER - Data on mounted volumes and decryption keys stored as volatile data may be
lost
How can cookies.sqlite linked to a specific user account - CORRECT ANSWER - The DB
file is stored in the corresponding profile folder
You are reviewing the contents of a Windows shortcut [.Ink file] pointing to C:\SANS.JPG.
Which of the following metadata can you expect to find? - CORRECT ANSWER - The
last access time of C:\SANS.JPG
Which of the following must you remember when reviewing Windows registry data in your
timeline - CORRECT ANSWER - Registry keys store only a 'LastWrite' time stamp and
do not indicate when they were created, accessed or deleted
, What information can be deduced by the following artifact?
System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces - CORRECT ANSWER -
If an interface GUID was used to connect to the internet over 3G
Which part of the LNK file reveals the shell path to the target file - CORRECT
ANSWER - PIDL - The PIDL section of a LNK file, follow the header, it contains a shell
path (a PIDL0 to the target file
In addition to the Web Notes Folder, which location contains Web Notes browser artifacts? -
CORRECT ANSWER - Spartan.edb
Which event will create a new directory in C:\System Volume Information\? - CORRECT
ANSWER - Software installation. There are several ways to create a new volume shadow
copy - Software installation, System snapshot, Manual snapshot
You are examining an image of a Windows system. In the C:\Windows\Prefetch directory you
find an entry for "EvilBin.Exe". Assuming the file was legitimately created by the operating
system, what does this file's existence mean to you, as the forensic investigator? - CORRECT
ANSWER - EvilBin.Exe has been run at least once on this system
What does the unique GUID assigned to each sub-key of the UserAssist registry entry represent?
- CORRECT ANSWER - Method used to execute and application
Which is the advantage offered by server-based e-mail forensic tools when compared to standard
forensic suites? - CORRECT ANSWER - They allow simultaneous searches across
multiple user accounts
Which Windows 7 event log records installation and update information for Windows security
updates and patches - CORRECT ANSWER - Setup.log records installation and update
information on all applications
Questions and CORRECT Answers
Why is it important to collect volatile data during incident response - CORRECT
ANSWER - Information could be lost if the system is powered off or rebooted
You are responding to an incident. The suspect was using his Windows Desktop Computer with
Firefox and "Private Browsing" enabled. The attack was interrupted when it was detected, and
the browser windows are still open. What can you do to capture the most in-depth data from the
suspect's browser session - CORRECT ANSWER - Collect the contents of the computer's
RAM
How is a user mapped to contents of the recycle bin? - CORRECT ANSWER - SID
How does PhotRec Recover deleted files from a host? - CORRECT ANSWER - Searches
free space looking for file signatures that match specific file types
You are responding to an incident in progress on a workstation, Why is it important to check the
presence of encryption on the suspect workstation before turning it off? - CORRECT
ANSWER - Data on mounted volumes and decryption keys stored as volatile data may be
lost
How can cookies.sqlite linked to a specific user account - CORRECT ANSWER - The DB
file is stored in the corresponding profile folder
You are reviewing the contents of a Windows shortcut [.Ink file] pointing to C:\SANS.JPG.
Which of the following metadata can you expect to find? - CORRECT ANSWER - The
last access time of C:\SANS.JPG
Which of the following must you remember when reviewing Windows registry data in your
timeline - CORRECT ANSWER - Registry keys store only a 'LastWrite' time stamp and
do not indicate when they were created, accessed or deleted
, What information can be deduced by the following artifact?
System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces - CORRECT ANSWER -
If an interface GUID was used to connect to the internet over 3G
Which part of the LNK file reveals the shell path to the target file - CORRECT
ANSWER - PIDL - The PIDL section of a LNK file, follow the header, it contains a shell
path (a PIDL0 to the target file
In addition to the Web Notes Folder, which location contains Web Notes browser artifacts? -
CORRECT ANSWER - Spartan.edb
Which event will create a new directory in C:\System Volume Information\? - CORRECT
ANSWER - Software installation. There are several ways to create a new volume shadow
copy - Software installation, System snapshot, Manual snapshot
You are examining an image of a Windows system. In the C:\Windows\Prefetch directory you
find an entry for "EvilBin.Exe". Assuming the file was legitimately created by the operating
system, what does this file's existence mean to you, as the forensic investigator? - CORRECT
ANSWER - EvilBin.Exe has been run at least once on this system
What does the unique GUID assigned to each sub-key of the UserAssist registry entry represent?
- CORRECT ANSWER - Method used to execute and application
Which is the advantage offered by server-based e-mail forensic tools when compared to standard
forensic suites? - CORRECT ANSWER - They allow simultaneous searches across
multiple user accounts
Which Windows 7 event log records installation and update information for Windows security
updates and patches - CORRECT ANSWER - Setup.log records installation and update
information on all applications
