1 | Page
SANS 500 Questions and Correct Answers
Why is it important to collect volatile data during incident
response Ans: Information could be lost if the system is powered
off or rebooted
You are responding to an incident. The suspect was using his
Windows Desktop Computer with Firefox and "Private Browsing"
enabled. The attack was interrupted when it was detected, and the
browser windows are still open. What can you do to capture the
most in-depth data from the suspect's browser session Ans:
Collect the contents of the computer's RAM
How is a user mapped to contents of the recycle bin? Ans: SID
How does PhotRec Recover deleted files from a host? Ans:
Searches free space looking for file signatures that match specific
file types
© 2025 All rights reserved
, 2 | Page
You are responding to an incident in progress on a workstation,
Why is it important to check the presence of encryption on the
suspect workstation before turning it off? Ans: Data on mounted
volumes and decryption keys stored as volatile data may be lost
How can cookies.sqlite linked to a specific user account Ans: The
DB file is stored in the corresponding profile folder
You are reviewing the contents of a Windows shortcut [.Ink file]
pointing to C:\SANS.JPG. Which of the following metadata can you
expect to find? Ans: The last access time of C:\SANS.JPG
Which of the following must you remember when reviewing
Windows registry data in your timeline Ans: Registry keys store
only a 'LastWrite' time stamp and do not indicate when they were
created, accessed or deleted
What information can be deduced by the following artifact?
System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
© 2025 All rights reserved
SANS 500 Questions and Correct Answers
Why is it important to collect volatile data during incident
response Ans: Information could be lost if the system is powered
off or rebooted
You are responding to an incident. The suspect was using his
Windows Desktop Computer with Firefox and "Private Browsing"
enabled. The attack was interrupted when it was detected, and the
browser windows are still open. What can you do to capture the
most in-depth data from the suspect's browser session Ans:
Collect the contents of the computer's RAM
How is a user mapped to contents of the recycle bin? Ans: SID
How does PhotRec Recover deleted files from a host? Ans:
Searches free space looking for file signatures that match specific
file types
© 2025 All rights reserved
, 2 | Page
You are responding to an incident in progress on a workstation,
Why is it important to check the presence of encryption on the
suspect workstation before turning it off? Ans: Data on mounted
volumes and decryption keys stored as volatile data may be lost
How can cookies.sqlite linked to a specific user account Ans: The
DB file is stored in the corresponding profile folder
You are reviewing the contents of a Windows shortcut [.Ink file]
pointing to C:\SANS.JPG. Which of the following metadata can you
expect to find? Ans: The last access time of C:\SANS.JPG
Which of the following must you remember when reviewing
Windows registry data in your timeline Ans: Registry keys store
only a 'LastWrite' time stamp and do not indicate when they were
created, accessed or deleted
What information can be deduced by the following artifact?
System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
© 2025 All rights reserved
