SANS 500 EXAM PREP/COMPREHENSIVE GUIDE 2025 | ALL
QUESTIONS AND CORRECT ANSWERS (VERIFIED ANSWERS)
| LATEST EXAM | JUST RELEASED | ALREADY GRADED A+
Why is it important to collect volatile data during incident response - (Correct
Answer)-Information could be lost if the system is powered off or rebooted
You are responding to an incident. The suspect was using his Windows
Desktop Computer with Firefox and "Private Browsing" enabled. The attack
was interrupted when it was detected, and the browser windows are still
open. What can you do to capture the most in-depth data from the suspect's
browser session - (Correct Answer)-Collect the contents of the computer's
RAM
How is a user mapped to contents of the recycle bin? - (Correct Answer)-SID
How does PhotRec Recover deleted files from a host? - (Correct Answer)-
Searches free space looking for file signatures that match specific file types
You are responding to an incident in progress on a workstation, Why is it
important to check the presence of encryption on the suspect workstation
before turning it off? - (Correct Answer)-Data on mounted volumes and
decryption keys stored as volatile data may be lost
, How can cookies.sqlite linked to a specific user account - (Correct Answer)-
The DB file is stored in the corresponding profile folder
You are reviewing the contents of a Windows shortcut [.Ink file] pointing to
C:\SANS.JPG. Which of the following metadata can you expect to find? -
(Correct Answer)-The last access time of C:\SANS.JPG
Which of the following must you remember when reviewing Windows registry
data in your timeline - (Correct Answer)-Registry keys store only a 'LastWrite'
time stamp and do not indicate when they were created, accessed or deleted
What information can be deduced by the following artifact? System\
CurrentControlSet\Services\Tcpip\Parameters\Interfaces - (Correct Answer)-If
an interface GUID was used to connect to the internet over 3G
Which part of the LNK file reveals the shell path to the target file - (Correct
Answer)-PIDL - The PIDL section of a LNK file, follow the header, it contains a
shell path (a PIDL0 to the target file
QUESTIONS AND CORRECT ANSWERS (VERIFIED ANSWERS)
| LATEST EXAM | JUST RELEASED | ALREADY GRADED A+
Why is it important to collect volatile data during incident response - (Correct
Answer)-Information could be lost if the system is powered off or rebooted
You are responding to an incident. The suspect was using his Windows
Desktop Computer with Firefox and "Private Browsing" enabled. The attack
was interrupted when it was detected, and the browser windows are still
open. What can you do to capture the most in-depth data from the suspect's
browser session - (Correct Answer)-Collect the contents of the computer's
RAM
How is a user mapped to contents of the recycle bin? - (Correct Answer)-SID
How does PhotRec Recover deleted files from a host? - (Correct Answer)-
Searches free space looking for file signatures that match specific file types
You are responding to an incident in progress on a workstation, Why is it
important to check the presence of encryption on the suspect workstation
before turning it off? - (Correct Answer)-Data on mounted volumes and
decryption keys stored as volatile data may be lost
, How can cookies.sqlite linked to a specific user account - (Correct Answer)-
The DB file is stored in the corresponding profile folder
You are reviewing the contents of a Windows shortcut [.Ink file] pointing to
C:\SANS.JPG. Which of the following metadata can you expect to find? -
(Correct Answer)-The last access time of C:\SANS.JPG
Which of the following must you remember when reviewing Windows registry
data in your timeline - (Correct Answer)-Registry keys store only a 'LastWrite'
time stamp and do not indicate when they were created, accessed or deleted
What information can be deduced by the following artifact? System\
CurrentControlSet\Services\Tcpip\Parameters\Interfaces - (Correct Answer)-If
an interface GUID was used to connect to the internet over 3G
Which part of the LNK file reveals the shell path to the target file - (Correct
Answer)-PIDL - The PIDL section of a LNK file, follow the header, it contains a
shell path (a PIDL0 to the target file
