SANS 500
SANS 500 Exam Study Guide Questions
with Correct Answers 2025
Alternate Data Streams (ADS) -Correct Answer ✔Alternative content for a file that exists
by creating additional data pointers within the same NTFS file. Basically the presence of
a second or subsequent data stream. Zone.Identifier is an example of an ADS.
AMCACHE.HVE -Correct Answer ✔Utilized for the internal application compatibility
capability that allows for Windows to run older executables found from earlier iterations
of their OS.
AppCompatCache -Correct Answer ✔Tracks the executable file's last modification date,
file path, and if it was executed. Windows looks at this key to figure out if a program
needs shimming for compatibility.
AppData Folder -Correct Answer ✔Contains custom settings and other information
needed by applications. Contains your Local, LocalLow, Roaming folders. For example,
Web browser bookmarks and cache.
AppID -Correct Answer ✔Each application has a unique id, but they are not unique to
the system. Used to ensure that the application's preferences are not going to conflict
with similar applications. Used in jumplists, in both Custom and Automatic.
Application Log -Correct Answer ✔Records events logged by applications. ex: failure of
MS SQL to access a database
Audit Removable Storage -Correct Answer ✔Logs every interaction with removable
device by user.
Automatic Destinations -Correct Answer ✔Contains a list of application sorted by AppID.
Can be used to map the history of the application from its first use.
Autostart -Correct Answer ✔Lists the programs that run at system boot. Useful to find
malware on a machine that installs on boot, such as a rootkit.
Background Activity Monitor (BAM) -Correct Answer ✔This key is used in conjunction
with the DAM key to record the path of the executable and the last date/time executed.
BagMRU -Correct Answer ✔Based on the keys that are here, you can tell which
directories were opened/closed during a time period.
SANS 500
,SANS 500
Bookmarks -Correct Answer ✔Created by the user and are shortcuts to websites that
are frequently visited or saved for later. They can also contain user account, URL, URL
parameters, page title, creation date, and last used date.
Browser Forensics -Correct Answer ✔History files, browser cache, and cookies make
up the bulk of browser artifacts. You can find the websites a user visited and how many
times they visited and when, saved websites, downloaded files, usernames, and what
the user searched for.
BSSID -Correct Answer ✔(Basic Service Set ID) the MAC address of a base station,
used to identify it to host stations.
Compliance Search -Correct Answer ✔Powershell cmdlet used for eDiscovery for nearly
any kind of search.
Connected Standby -Correct Answer ✔In Windows 8, systems with a SSD could take
advantage of this new low-power mode. Was expanded upon in Windows 10 with
Modern Standby.
CurrentControlSet -Correct Answer ✔Identifies which control set is considered the
Current one. Contains system config settings needed to control system boot, like the
driver and service information. ControlSet001 is typically the set you just booted into the
computer with. It is usually the most up to date. ControlSet002 is the "Last Known
Good" version, if something drastic happened.
Custom Destinations -Correct Answer ✔Created by each application and there is
custom. Intended to present content that the application has deemed significant based
on either previous usage of the app or through an action that has indicated that an item
is of importance to the user.
Data Stream Carving -Correct Answer ✔The carving of small fragments of a file, not the
whole file. Fragments can be pulled from memory, unallocated space, and allocated
database files. Ex: URLs, chat sessions, emails, encryption keys,...
DEAD System - Memory Acquisition -Correct Answer ✔You can analysis the hiberfil.sys
by copying it from the root of the system drive. memory.dmp is a crash dump file that
can also be used if a full crash dump was taken. pagefile.sys is not a complete copy of
RAM, but can still provide parts of memory that were paged out to disk.
Desktop Activity Monitor (DAM) -Correct Answer ✔Used in conjunction with the BAM
key to record the path of the executable and the last date/time executed. The DAM is
present on system that have Connected Standby present.
DOMStore -Correct Answer ✔This is where Web Store files are stored in IE/Edge. Set
up in a similar fashion to cache. WebCacheV*.dat file manages the DOMStore
SANS 500
, SANS 500
filenames and the owning sites. It includes creation and last access timestamps for Web
Storage artifacts.
Exchange Database (EDB) -Correct Answer ✔Container for user Microsoft Exchange
mailboxes. Stored in ESE format.
Email Header -Correct Answer ✔Required component. Provides the envelope that a
message relies on for getting it to the destination. Only completely reliable information
from the Mail Transfer Agent that you own or trust.
EMDMgmt -Correct Answer ✔Traditionally used for ReadyBoost to remember whether it
passed inspection. Each key in it provides the USB device manufacturer, ID, Serial
Number, Volume Name, and Volume Serial Number.
ESE Database -Correct Answer ✔A proprietary Microsoft database format. Can be
broken up into multiple storage groups, each able to contain multiple database files.
Exif Data -Correct Answer ✔Also called metadata, this is information electronically
attached to each image file, such as shutter speed, aperture, ISO, lens length, white
balance, and other settings used when taking the picture.
File Carving -Correct Answer ✔The process of recovering intact files from memory or
unallocated space. It is done by scanning for known file headers at cluster boundaries
and carve a file out based on a "predicted" length or until a known footer is found.
Generally results in a lot of false positives.
File Header -Correct Answer ✔A sequence of bytes that are generally unique to each
file found at the beginning of the file itself.
File MRU -Correct Answer ✔This key will list many of the recent documents,
spreadsheets, and PowerPoint presentation that the user has opened. This key can go
much further back in time than RecentDocs, due to having more space and not needing
to overwrite the data as fast.
Hive Flush -Correct Answer ✔In a dirty hive situation, where transaction log files contain
data not yet written to the registry, when the changes are written to disk, it is called a
hive flush.
HKEY_CLASSES_ROOT -Correct Answer ✔Includes information about which filename
extensions map to particular applications.
HKEY_CURRENT_USER -Correct Answer ✔Stores settings that concern the current
logged on user.
SANS 500
SANS 500 Exam Study Guide Questions
with Correct Answers 2025
Alternate Data Streams (ADS) -Correct Answer ✔Alternative content for a file that exists
by creating additional data pointers within the same NTFS file. Basically the presence of
a second or subsequent data stream. Zone.Identifier is an example of an ADS.
AMCACHE.HVE -Correct Answer ✔Utilized for the internal application compatibility
capability that allows for Windows to run older executables found from earlier iterations
of their OS.
AppCompatCache -Correct Answer ✔Tracks the executable file's last modification date,
file path, and if it was executed. Windows looks at this key to figure out if a program
needs shimming for compatibility.
AppData Folder -Correct Answer ✔Contains custom settings and other information
needed by applications. Contains your Local, LocalLow, Roaming folders. For example,
Web browser bookmarks and cache.
AppID -Correct Answer ✔Each application has a unique id, but they are not unique to
the system. Used to ensure that the application's preferences are not going to conflict
with similar applications. Used in jumplists, in both Custom and Automatic.
Application Log -Correct Answer ✔Records events logged by applications. ex: failure of
MS SQL to access a database
Audit Removable Storage -Correct Answer ✔Logs every interaction with removable
device by user.
Automatic Destinations -Correct Answer ✔Contains a list of application sorted by AppID.
Can be used to map the history of the application from its first use.
Autostart -Correct Answer ✔Lists the programs that run at system boot. Useful to find
malware on a machine that installs on boot, such as a rootkit.
Background Activity Monitor (BAM) -Correct Answer ✔This key is used in conjunction
with the DAM key to record the path of the executable and the last date/time executed.
BagMRU -Correct Answer ✔Based on the keys that are here, you can tell which
directories were opened/closed during a time period.
SANS 500
,SANS 500
Bookmarks -Correct Answer ✔Created by the user and are shortcuts to websites that
are frequently visited or saved for later. They can also contain user account, URL, URL
parameters, page title, creation date, and last used date.
Browser Forensics -Correct Answer ✔History files, browser cache, and cookies make
up the bulk of browser artifacts. You can find the websites a user visited and how many
times they visited and when, saved websites, downloaded files, usernames, and what
the user searched for.
BSSID -Correct Answer ✔(Basic Service Set ID) the MAC address of a base station,
used to identify it to host stations.
Compliance Search -Correct Answer ✔Powershell cmdlet used for eDiscovery for nearly
any kind of search.
Connected Standby -Correct Answer ✔In Windows 8, systems with a SSD could take
advantage of this new low-power mode. Was expanded upon in Windows 10 with
Modern Standby.
CurrentControlSet -Correct Answer ✔Identifies which control set is considered the
Current one. Contains system config settings needed to control system boot, like the
driver and service information. ControlSet001 is typically the set you just booted into the
computer with. It is usually the most up to date. ControlSet002 is the "Last Known
Good" version, if something drastic happened.
Custom Destinations -Correct Answer ✔Created by each application and there is
custom. Intended to present content that the application has deemed significant based
on either previous usage of the app or through an action that has indicated that an item
is of importance to the user.
Data Stream Carving -Correct Answer ✔The carving of small fragments of a file, not the
whole file. Fragments can be pulled from memory, unallocated space, and allocated
database files. Ex: URLs, chat sessions, emails, encryption keys,...
DEAD System - Memory Acquisition -Correct Answer ✔You can analysis the hiberfil.sys
by copying it from the root of the system drive. memory.dmp is a crash dump file that
can also be used if a full crash dump was taken. pagefile.sys is not a complete copy of
RAM, but can still provide parts of memory that were paged out to disk.
Desktop Activity Monitor (DAM) -Correct Answer ✔Used in conjunction with the BAM
key to record the path of the executable and the last date/time executed. The DAM is
present on system that have Connected Standby present.
DOMStore -Correct Answer ✔This is where Web Store files are stored in IE/Edge. Set
up in a similar fashion to cache. WebCacheV*.dat file manages the DOMStore
SANS 500
, SANS 500
filenames and the owning sites. It includes creation and last access timestamps for Web
Storage artifacts.
Exchange Database (EDB) -Correct Answer ✔Container for user Microsoft Exchange
mailboxes. Stored in ESE format.
Email Header -Correct Answer ✔Required component. Provides the envelope that a
message relies on for getting it to the destination. Only completely reliable information
from the Mail Transfer Agent that you own or trust.
EMDMgmt -Correct Answer ✔Traditionally used for ReadyBoost to remember whether it
passed inspection. Each key in it provides the USB device manufacturer, ID, Serial
Number, Volume Name, and Volume Serial Number.
ESE Database -Correct Answer ✔A proprietary Microsoft database format. Can be
broken up into multiple storage groups, each able to contain multiple database files.
Exif Data -Correct Answer ✔Also called metadata, this is information electronically
attached to each image file, such as shutter speed, aperture, ISO, lens length, white
balance, and other settings used when taking the picture.
File Carving -Correct Answer ✔The process of recovering intact files from memory or
unallocated space. It is done by scanning for known file headers at cluster boundaries
and carve a file out based on a "predicted" length or until a known footer is found.
Generally results in a lot of false positives.
File Header -Correct Answer ✔A sequence of bytes that are generally unique to each
file found at the beginning of the file itself.
File MRU -Correct Answer ✔This key will list many of the recent documents,
spreadsheets, and PowerPoint presentation that the user has opened. This key can go
much further back in time than RecentDocs, due to having more space and not needing
to overwrite the data as fast.
Hive Flush -Correct Answer ✔In a dirty hive situation, where transaction log files contain
data not yet written to the registry, when the changes are written to disk, it is called a
hive flush.
HKEY_CLASSES_ROOT -Correct Answer ✔Includes information about which filename
extensions map to particular applications.
HKEY_CURRENT_USER -Correct Answer ✔Stores settings that concern the current
logged on user.
SANS 500
