SANS 500
SANS 500 EXAM STUDY GUIDE
QUESTIONS AND ANSWERS 2025
Why is it important to collect volatile data during incident response -Correct Answer
✔Information could be lost if the system is powered off or rebooted
You are responding to an incident. The suspect was using his Windows Desktop
Computer with Firefox and "Private Browsing" enabled. The attack was interrupted
when it was detected, and the browser windows are still open. What can you do to
capture the most in-depth data from the suspect's browser session -Correct Answer
✔Collect the contents of the computer's RAM
How is a user mapped to contents of the recycle bin? -Correct Answer ✔SID
How does PhotRec Recover deleted files from a host? -Correct Answer ✔Searches free
space looking for file signatures that match specific file types
You are responding to an incident in progress on a workstation, Why is it important to
check the presence of encryption on the suspect workstation before turning it off? -
Correct Answer ✔Data on mounted volumes and decryption keys stored as volatile data
may be lost
How can cookies.sqlite linked to a specific user account -Correct Answer ✔The DB file
is stored in the corresponding profile folder
You are reviewing the contents of a Windows shortcut [.Ink file] pointing to
C:\SANS.JPG. Which of the following metadata can you expect to find? -Correct
Answer ✔The last access time of C:\SANS.JPG
Which of the following must you remember when reviewing Windows registry data in
your timeline -Correct Answer ✔Registry keys store only a 'LastWrite' time stamp and
do not indicate when they were created, accessed or deleted
What information can be deduced by the following artifact?
System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces -Correct Answer ✔If
an interface GUID was used to connect to the internet over 3G
Which part of the LNK file reveals the shell path to the target file -Correct Answer
✔PIDL - The PIDL section of a LNK file, follow the header, it contains a shell path (a
PIDL0 to the target file
In addition to the Web Notes Folder, which location contains Web Notes browser
artifacts? -Correct Answer ✔Spartan.edb
SANS 500
, SANS 500
Which event will create a new directory in C:\System Volume Information\? -Correct
Answer ✔Software installation. There are several ways to create a new volume shadow
copy - Software installation, System snapshot, Manual snapshot
You are examining an image of a Windows system. In the C:\Windows\Prefetch
directory you find an entry for "EvilBin.Exe". Assuming the file was legitimately created
by the operating system, what does this file's existence mean to you, as the forensic
investigator? -Correct Answer ✔EvilBin.Exe has been run at least once on this system
What does the unique GUID assigned to each sub-key of the UserAssist registry entry
represent? -Correct Answer ✔Method used to execute and application
Which is the advantage offered by server-based e-mail forensic tools when compared to
standard forensic suites? -Correct Answer ✔They allow simultaneous searches across
multiple user accounts
Which Windows 7 event log records installation and update information for Windows
security updates and patches -Correct Answer ✔Setup.log records installation and
update information on all applications
You are participating in an e-mail investigation for a company using Microsoft Exchange
with Outlook clients. Which of the following would reduce the results returned in a
keyword search of a user's mailbox? -Correct Answer ✔The organization's email clients
have S/MIME support enabled
Network logs show that Bob accessed \\10.10.23.47\Financial\Salary two weeks past.
Bob claims he never intentionally went to the network share, that he must've clicked on
a link that mapped to that location. Which registry key on Bob's host will show if he
knew the network location of the salary folder? -Correct Answer ✔TypePaths
Which local folder stores the Cookies DB in Chrome version 96 and above -Correct
Answer ✔Network
Which of the following is an example of volatile data -Correct Answer ✔Open files -
Current and running apps. on a workstation are volatile and all date will be lost if the
device is powered off
What artifact(s) will be created by Windows 10 when a user opens an office document
from a USB drive using Explorer -Correct Answer ✔Two LNK files are created in
C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Recent
Which of the following records a 'last write time' stored typically in UTC -Correct Answer
✔A change to a registry key value
SANS 500
SANS 500 EXAM STUDY GUIDE
QUESTIONS AND ANSWERS 2025
Why is it important to collect volatile data during incident response -Correct Answer
✔Information could be lost if the system is powered off or rebooted
You are responding to an incident. The suspect was using his Windows Desktop
Computer with Firefox and "Private Browsing" enabled. The attack was interrupted
when it was detected, and the browser windows are still open. What can you do to
capture the most in-depth data from the suspect's browser session -Correct Answer
✔Collect the contents of the computer's RAM
How is a user mapped to contents of the recycle bin? -Correct Answer ✔SID
How does PhotRec Recover deleted files from a host? -Correct Answer ✔Searches free
space looking for file signatures that match specific file types
You are responding to an incident in progress on a workstation, Why is it important to
check the presence of encryption on the suspect workstation before turning it off? -
Correct Answer ✔Data on mounted volumes and decryption keys stored as volatile data
may be lost
How can cookies.sqlite linked to a specific user account -Correct Answer ✔The DB file
is stored in the corresponding profile folder
You are reviewing the contents of a Windows shortcut [.Ink file] pointing to
C:\SANS.JPG. Which of the following metadata can you expect to find? -Correct
Answer ✔The last access time of C:\SANS.JPG
Which of the following must you remember when reviewing Windows registry data in
your timeline -Correct Answer ✔Registry keys store only a 'LastWrite' time stamp and
do not indicate when they were created, accessed or deleted
What information can be deduced by the following artifact?
System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces -Correct Answer ✔If
an interface GUID was used to connect to the internet over 3G
Which part of the LNK file reveals the shell path to the target file -Correct Answer
✔PIDL - The PIDL section of a LNK file, follow the header, it contains a shell path (a
PIDL0 to the target file
In addition to the Web Notes Folder, which location contains Web Notes browser
artifacts? -Correct Answer ✔Spartan.edb
SANS 500
, SANS 500
Which event will create a new directory in C:\System Volume Information\? -Correct
Answer ✔Software installation. There are several ways to create a new volume shadow
copy - Software installation, System snapshot, Manual snapshot
You are examining an image of a Windows system. In the C:\Windows\Prefetch
directory you find an entry for "EvilBin.Exe". Assuming the file was legitimately created
by the operating system, what does this file's existence mean to you, as the forensic
investigator? -Correct Answer ✔EvilBin.Exe has been run at least once on this system
What does the unique GUID assigned to each sub-key of the UserAssist registry entry
represent? -Correct Answer ✔Method used to execute and application
Which is the advantage offered by server-based e-mail forensic tools when compared to
standard forensic suites? -Correct Answer ✔They allow simultaneous searches across
multiple user accounts
Which Windows 7 event log records installation and update information for Windows
security updates and patches -Correct Answer ✔Setup.log records installation and
update information on all applications
You are participating in an e-mail investigation for a company using Microsoft Exchange
with Outlook clients. Which of the following would reduce the results returned in a
keyword search of a user's mailbox? -Correct Answer ✔The organization's email clients
have S/MIME support enabled
Network logs show that Bob accessed \\10.10.23.47\Financial\Salary two weeks past.
Bob claims he never intentionally went to the network share, that he must've clicked on
a link that mapped to that location. Which registry key on Bob's host will show if he
knew the network location of the salary folder? -Correct Answer ✔TypePaths
Which local folder stores the Cookies DB in Chrome version 96 and above -Correct
Answer ✔Network
Which of the following is an example of volatile data -Correct Answer ✔Open files -
Current and running apps. on a workstation are volatile and all date will be lost if the
device is powered off
What artifact(s) will be created by Windows 10 when a user opens an office document
from a USB drive using Explorer -Correct Answer ✔Two LNK files are created in
C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Recent
Which of the following records a 'last write time' stored typically in UTC -Correct Answer
✔A change to a registry key value
SANS 500
