SANS 500 2025/2026 Exam Questions
with 100% Correct Answers | Latest
Update
Alternate Data Streams (ADS) - 🧠ANSWER ✔✔Alternative content for a file
that exists by creating additional data pointers within the same NTFS file.
Basically the presence of a second or subsequent data stream.
Zone.Identifier is an example of an ADS.
AMCACHE.HVE - 🧠ANSWER ✔✔Utilized for the internal application
compatibility capability that allows for Windows to run older executables
found from earlier iterations of their OS.
AppCompatCache - 🧠ANSWER ✔✔Tracks the executable file's last
modification date, file path, and if it was executed. Windows looks at this
key to figure out if a program needs shimming for compatibility.
,AppData Folder - 🧠ANSWER ✔✔Contains custom settings and other
information needed by applications. Contains your Local, LocalLow,
Roaming folders. For example, Web browser bookmarks and cache.
AppID - 🧠ANSWER ✔✔Each application has a unique id, but they are not
unique to the system. Used to ensure that the application's preferences are
not going to conflict with similar applications. Used in jumplists, in both
Custom and Automatic.
Application Log - 🧠ANSWER ✔✔Records events logged by applications.
ex: failure of MS SQL to access a database
Audit Removable Storage - 🧠ANSWER ✔✔Logs every interaction with
removable device by user.
Automatic Destinations - 🧠ANSWER ✔✔Contains a list of application sorted
by AppID. Can be used to map the history of the application from its first
use.
Autostart - 🧠ANSWER ✔✔Lists the programs that run at system boot.
Useful to find malware on a machine that installs on boot, such as a rootkit.
,Background Activity Monitor (BAM) - 🧠ANSWER ✔✔This key is used in
conjunction with the DAM key to record the path of the executable and the
last date/time executed.
BagMRU - 🧠ANSWER ✔✔Based on the keys that are here, you can tell
which directories were opened/closed during a time period.
Bookmarks - 🧠ANSWER ✔✔Created by the user and are shortcuts to
websites that are frequently visited or saved for later. They can also contain
user account, URL, URL parameters, page title, creation date, and last
used date.
Browser Forensics - 🧠ANSWER ✔✔History files, browser cache, and
cookies make up the bulk of browser artifacts. You can find the websites a
user visited and how many times they visited and when, saved websites,
downloaded files, usernames, and what the user searched for.
BSSID - 🧠ANSWER ✔✔(Basic Service Set ID) the MAC address of a base
station, used to identify it to host stations.
Compliance Search - 🧠ANSWER ✔✔Powershell cmdlet used for
eDiscovery for nearly any kind of search.
3
COPYRIGHT©JOSHCLAY 2025/2026. YEAR PUBLISHED 2025. COMPANY REGISTRATION NUMBER: 619652435. TERMS OF USE. PRIVACY
STATEMENT. ALL RIGHTS RESERVED
, Connected Standby - 🧠ANSWER ✔✔In Windows 8, systems with a SSD
could take advantage of this new low-power mode. Was expanded upon in
Windows 10 with Modern Standby.
CurrentControlSet - 🧠ANSWER ✔✔Identifies which control set is
considered the Current one. Contains system config settings needed to
control system boot, like the driver and service information. ControlSet001
is typically the set you just booted into the computer with. It is usually the
most up to date. ControlSet002 is the "Last Known Good" version, if
something drastic happened.
Custom Destinations - 🧠ANSWER ✔✔Created by each application and
there is custom. Intended to present content that the application has
deemed significant based on either previous usage of the app or through
an action that has indicated that an item is of importance to the user.
Data Stream Carving - 🧠ANSWER ✔✔The carving of small fragments of a
file, not the whole file. Fragments can be pulled from memory, unallocated
space, and allocated database files. Ex: URLs, chat sessions, emails,
encryption keys,...
with 100% Correct Answers | Latest
Update
Alternate Data Streams (ADS) - 🧠ANSWER ✔✔Alternative content for a file
that exists by creating additional data pointers within the same NTFS file.
Basically the presence of a second or subsequent data stream.
Zone.Identifier is an example of an ADS.
AMCACHE.HVE - 🧠ANSWER ✔✔Utilized for the internal application
compatibility capability that allows for Windows to run older executables
found from earlier iterations of their OS.
AppCompatCache - 🧠ANSWER ✔✔Tracks the executable file's last
modification date, file path, and if it was executed. Windows looks at this
key to figure out if a program needs shimming for compatibility.
,AppData Folder - 🧠ANSWER ✔✔Contains custom settings and other
information needed by applications. Contains your Local, LocalLow,
Roaming folders. For example, Web browser bookmarks and cache.
AppID - 🧠ANSWER ✔✔Each application has a unique id, but they are not
unique to the system. Used to ensure that the application's preferences are
not going to conflict with similar applications. Used in jumplists, in both
Custom and Automatic.
Application Log - 🧠ANSWER ✔✔Records events logged by applications.
ex: failure of MS SQL to access a database
Audit Removable Storage - 🧠ANSWER ✔✔Logs every interaction with
removable device by user.
Automatic Destinations - 🧠ANSWER ✔✔Contains a list of application sorted
by AppID. Can be used to map the history of the application from its first
use.
Autostart - 🧠ANSWER ✔✔Lists the programs that run at system boot.
Useful to find malware on a machine that installs on boot, such as a rootkit.
,Background Activity Monitor (BAM) - 🧠ANSWER ✔✔This key is used in
conjunction with the DAM key to record the path of the executable and the
last date/time executed.
BagMRU - 🧠ANSWER ✔✔Based on the keys that are here, you can tell
which directories were opened/closed during a time period.
Bookmarks - 🧠ANSWER ✔✔Created by the user and are shortcuts to
websites that are frequently visited or saved for later. They can also contain
user account, URL, URL parameters, page title, creation date, and last
used date.
Browser Forensics - 🧠ANSWER ✔✔History files, browser cache, and
cookies make up the bulk of browser artifacts. You can find the websites a
user visited and how many times they visited and when, saved websites,
downloaded files, usernames, and what the user searched for.
BSSID - 🧠ANSWER ✔✔(Basic Service Set ID) the MAC address of a base
station, used to identify it to host stations.
Compliance Search - 🧠ANSWER ✔✔Powershell cmdlet used for
eDiscovery for nearly any kind of search.
3
COPYRIGHT©JOSHCLAY 2025/2026. YEAR PUBLISHED 2025. COMPANY REGISTRATION NUMBER: 619652435. TERMS OF USE. PRIVACY
STATEMENT. ALL RIGHTS RESERVED
, Connected Standby - 🧠ANSWER ✔✔In Windows 8, systems with a SSD
could take advantage of this new low-power mode. Was expanded upon in
Windows 10 with Modern Standby.
CurrentControlSet - 🧠ANSWER ✔✔Identifies which control set is
considered the Current one. Contains system config settings needed to
control system boot, like the driver and service information. ControlSet001
is typically the set you just booted into the computer with. It is usually the
most up to date. ControlSet002 is the "Last Known Good" version, if
something drastic happened.
Custom Destinations - 🧠ANSWER ✔✔Created by each application and
there is custom. Intended to present content that the application has
deemed significant based on either previous usage of the app or through
an action that has indicated that an item is of importance to the user.
Data Stream Carving - 🧠ANSWER ✔✔The carving of small fragments of a
file, not the whole file. Fragments can be pulled from memory, unallocated
space, and allocated database files. Ex: URLs, chat sessions, emails,
encryption keys,...
