SANS 500 2025/2026 Exam Questions
and Verified Answers | Already Graded
A+
Why is it important to collect volatile data during incident response -
🧠ANSWER ✔✔Information could be lost if the system is powered off or
rebooted
You are responding to an incident. The suspect was using his Windows
Desktop Computer with Firefox and "Private Browsing" enabled. The attack
was interrupted when it was detected, and the browser windows are still
open. What can you do to capture the most in-depth data from the
suspect's browser session - 🧠ANSWER ✔✔Collect the contents of the
computer's RAM
How is a user mapped to contents of the recycle bin? - 🧠ANSWER ✔✔SID
, How does PhotRec Recover deleted files from a host? - 🧠ANSWER
✔✔Searches free space looking for file signatures that match specific file
types
You are responding to an incident in progress on a workstation, Why is it
important to check the presence of encryption on the suspect workstation
before turning it off? - 🧠ANSWER ✔✔Data on mounted volumes and
decryption keys stored as volatile data may be lost
How can cookies.sqlite linked to a specific user account - 🧠ANSWER
✔✔The DB file is stored in the corresponding profile folder
You are reviewing the contents of a Windows shortcut [.Ink file] pointing to
C:\SANS.JPG. Which of the following metadata can you expect to find? -
🧠ANSWER ✔✔The last access time of C:\SANS.JPG
Which of the following must you remember when reviewing Windows
registry data in your timeline - 🧠ANSWER ✔✔Registry keys store only a
'LastWrite' time stamp and do not indicate when they were created,
accessed or deleted
What information can be deduced by the following artifact?
System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces -
and Verified Answers | Already Graded
A+
Why is it important to collect volatile data during incident response -
🧠ANSWER ✔✔Information could be lost if the system is powered off or
rebooted
You are responding to an incident. The suspect was using his Windows
Desktop Computer with Firefox and "Private Browsing" enabled. The attack
was interrupted when it was detected, and the browser windows are still
open. What can you do to capture the most in-depth data from the
suspect's browser session - 🧠ANSWER ✔✔Collect the contents of the
computer's RAM
How is a user mapped to contents of the recycle bin? - 🧠ANSWER ✔✔SID
, How does PhotRec Recover deleted files from a host? - 🧠ANSWER
✔✔Searches free space looking for file signatures that match specific file
types
You are responding to an incident in progress on a workstation, Why is it
important to check the presence of encryption on the suspect workstation
before turning it off? - 🧠ANSWER ✔✔Data on mounted volumes and
decryption keys stored as volatile data may be lost
How can cookies.sqlite linked to a specific user account - 🧠ANSWER
✔✔The DB file is stored in the corresponding profile folder
You are reviewing the contents of a Windows shortcut [.Ink file] pointing to
C:\SANS.JPG. Which of the following metadata can you expect to find? -
🧠ANSWER ✔✔The last access time of C:\SANS.JPG
Which of the following must you remember when reviewing Windows
registry data in your timeline - 🧠ANSWER ✔✔Registry keys store only a
'LastWrite' time stamp and do not indicate when they were created,
accessed or deleted
What information can be deduced by the following artifact?
System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces -
