SANS 500 Exam 2026 Questions and
Answers
Why is it important to collect volatile data during incident response - Correct
answer-Information could be lost if the system is powered off or rebooted
You are responding to an incident. The suspect was using his Windows Desktop
Computer with Firefox and "Private Browsing" enabled. The attack was
interrupted when it was detected, and the browser windows are still open. What
can you do to capture the most in-depth data from the suspect's browser session -
Correct answer-Collect the contents of the computer's RAM
How is a user mapped to contents of the recycle bin? - Correct answer-SID
How does PhotRec Recover deleted files from a host? - Correct answer-Searches
free space looking for file signatures that match specific file types
You are responding to an incident in progress on a workstation, Why is it important
to check the presence of encryption on the suspect workstation before turning it
©COPYRIGHT 2025, ALL RIGHTS RESERVED 1
, off? - Correct answer-Data on mounted volumes and decryption keys stored as
volatile data may be lost
How can cookies.sqlite linked to a specific user account - Correct answer-The DB
file is stored in the corresponding profile folder
You are reviewing the contents of a Windows shortcut [.Ink file] pointing to
C:\SANS.JPG. Which of the following metadata can you expect to find? - Correct
answer-The last access time of C:\SANS.JPG
Which of the following must you remember when reviewing Windows registry
data in your timeline - Correct answer-Registry keys store only a 'LastWrite' time
stamp and do not indicate when they were created, accessed or deleted
What information can be deduced by the following artifact?
System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces - Correct answer-
If an interface GUID was used to connect to the internet over 3G
Which part of the LNK file reveals the shell path to the target file - Correct answer-
PIDL - The PIDL section of a LNK file, follow the header, it contains a shell path
(a PIDL0 to the target file
In addition to the Web Notes Folder, which location contains Web Notes browser
artifacts? - Correct answer-Spartan.edb
©COPYRIGHT 2025, ALL RIGHTS RESERVED 2
Answers
Why is it important to collect volatile data during incident response - Correct
answer-Information could be lost if the system is powered off or rebooted
You are responding to an incident. The suspect was using his Windows Desktop
Computer with Firefox and "Private Browsing" enabled. The attack was
interrupted when it was detected, and the browser windows are still open. What
can you do to capture the most in-depth data from the suspect's browser session -
Correct answer-Collect the contents of the computer's RAM
How is a user mapped to contents of the recycle bin? - Correct answer-SID
How does PhotRec Recover deleted files from a host? - Correct answer-Searches
free space looking for file signatures that match specific file types
You are responding to an incident in progress on a workstation, Why is it important
to check the presence of encryption on the suspect workstation before turning it
©COPYRIGHT 2025, ALL RIGHTS RESERVED 1
, off? - Correct answer-Data on mounted volumes and decryption keys stored as
volatile data may be lost
How can cookies.sqlite linked to a specific user account - Correct answer-The DB
file is stored in the corresponding profile folder
You are reviewing the contents of a Windows shortcut [.Ink file] pointing to
C:\SANS.JPG. Which of the following metadata can you expect to find? - Correct
answer-The last access time of C:\SANS.JPG
Which of the following must you remember when reviewing Windows registry
data in your timeline - Correct answer-Registry keys store only a 'LastWrite' time
stamp and do not indicate when they were created, accessed or deleted
What information can be deduced by the following artifact?
System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces - Correct answer-
If an interface GUID was used to connect to the internet over 3G
Which part of the LNK file reveals the shell path to the target file - Correct answer-
PIDL - The PIDL section of a LNK file, follow the header, it contains a shell path
(a PIDL0 to the target file
In addition to the Web Notes Folder, which location contains Web Notes browser
artifacts? - Correct answer-Spartan.edb
©COPYRIGHT 2025, ALL RIGHTS RESERVED 2
