SANS 500 EXAM 2025 | ALL QUESTIONS AND CORRECT
ANSWERS (VERIFIED ANSWERS PLUS RATIONALES) | LATEST
EXAM | JUST RELEASED | ALREADY GRADED A+
Question 1
Which of the following describes Alternate Data Streams (ADS)?
A) A temporary file created during system boot.
B) Additional data pointers within the same NTFS file, forming a second or subsequent data
stream.
C) A hidden partition used for system recovery.
D) A log file tracking changes to the registry.
E) A type of network communication protocol.
Correct Answer: B) Additional data pointers within the same NTFS file, forming a
second or subsequent data stream.
Rationale: The provided text defines ADS as "Alternative content for a file that
exists by creating additional data pointers within the same NTFS file. Basically the
presence of a second or subsequent data stream."
Question 2
What is AMCACHE.HVE primarily utilized for in Windows?
A) Storing web browser history and cache.
B) Tracking executed programs for application compatibility.
C) Managing network connection profiles.
D) Storing user desktop backgrounds.
E) Recording events logged by applications.
Correct Answer: B) Tracking executed programs for application compatibility.
Rationale: The provided text states, "AMCACHE.HVE Utilized for the internal
,application compatibility capability that allows for Windows to run older
executables found from earlier iterations of their OS."
Question 3
Which information does AppCompatCache track regarding executable files?
A) Their network activity and port usage.
B) Their last modification date, file path, and if they were executed.
C) The amount of disk space they occupy.
D) The number of times they have crashed.
E) Their digital signature and vendor.
Correct Answer: B) Their last modification date, file path, and if they were executed.
Rationale: The provided text explains, "AppCompatCache Tracks the executable
file's last modification date, file path, and if it was executed."
Question 4
The AppData Folder contains which of the following subfolders?
A) Program Files, Windows, System32.
B) Users, Public, Default.
C) Local, LocalLow, Roaming.
D) Temp, Log, Backup.
E) Drivers, Services, Registry.
Correct Answer: C) Local, LocalLow, Roaming.
Rationale: The provided text states, "AppData Folder Contains custom settings and
other information needed by applications. Contains your Local, LocalLow, Roaming
folders."
,Question 5
What is the primary purpose of an AppID for an application?
A) To identify the developer of the application.
B) To ensure that the application's preferences do not conflict with similar applications.
C) To track the installation date of the application.
D) To encrypt the application's data.
E) To manage license keys for the application.
Correct Answer: B) To ensure that the application's preferences are not going to
conflict with similar applications.
Rationale: The provided text explains, "AppID Each application has a unique id, but
they are not unique to the system. Used to ensure that the application's
preferences are not going to conflict with similar applications."
Question 6
Which log file records events specifically logged by applications, such as a database access
failure?
A) Security Log.
B) System Log.
C) Application Log.
D) Services Logs.
E) WLAN-AutoConfig Log.
Correct Answer: C) Application Log.
Rationale: The provided text states, "Application Log Records events logged by
applications. ex: failure of MS SQL to access a database".
, Question 7
What does the Audit Removable Storage setting log?
A) Only the connection of a removable device.
B) Every interaction with a removable device by a user.
C) Only data written to removable storage.
D) Only data read from removable storage.
E) The type of removable device connected.
Correct Answer: B) Every interaction with removable device by user.
Rationale: The provided text states, "Audit Removable Storage Logs every
interaction with removable device by user."
Question 8
Automatic Destinations contain a list of applications sorted by AppID and can be used to:
A) Encrypt user data.
B) Map the history of an application from its first use.
C) Restore deleted files.
D) Manage network connections.
E) Monitor system performance.
Correct Answer: B) Map the history of the application from its first use.
Rationale: The provided text states, "Automatic Destinations Contains a list of
application sorted by AppID. Can be used to map the history of the application
from its first use."
Question 9
What is a key forensic use of the Autostart list?
ANSWERS (VERIFIED ANSWERS PLUS RATIONALES) | LATEST
EXAM | JUST RELEASED | ALREADY GRADED A+
Question 1
Which of the following describes Alternate Data Streams (ADS)?
A) A temporary file created during system boot.
B) Additional data pointers within the same NTFS file, forming a second or subsequent data
stream.
C) A hidden partition used for system recovery.
D) A log file tracking changes to the registry.
E) A type of network communication protocol.
Correct Answer: B) Additional data pointers within the same NTFS file, forming a
second or subsequent data stream.
Rationale: The provided text defines ADS as "Alternative content for a file that
exists by creating additional data pointers within the same NTFS file. Basically the
presence of a second or subsequent data stream."
Question 2
What is AMCACHE.HVE primarily utilized for in Windows?
A) Storing web browser history and cache.
B) Tracking executed programs for application compatibility.
C) Managing network connection profiles.
D) Storing user desktop backgrounds.
E) Recording events logged by applications.
Correct Answer: B) Tracking executed programs for application compatibility.
Rationale: The provided text states, "AMCACHE.HVE Utilized for the internal
,application compatibility capability that allows for Windows to run older
executables found from earlier iterations of their OS."
Question 3
Which information does AppCompatCache track regarding executable files?
A) Their network activity and port usage.
B) Their last modification date, file path, and if they were executed.
C) The amount of disk space they occupy.
D) The number of times they have crashed.
E) Their digital signature and vendor.
Correct Answer: B) Their last modification date, file path, and if they were executed.
Rationale: The provided text explains, "AppCompatCache Tracks the executable
file's last modification date, file path, and if it was executed."
Question 4
The AppData Folder contains which of the following subfolders?
A) Program Files, Windows, System32.
B) Users, Public, Default.
C) Local, LocalLow, Roaming.
D) Temp, Log, Backup.
E) Drivers, Services, Registry.
Correct Answer: C) Local, LocalLow, Roaming.
Rationale: The provided text states, "AppData Folder Contains custom settings and
other information needed by applications. Contains your Local, LocalLow, Roaming
folders."
,Question 5
What is the primary purpose of an AppID for an application?
A) To identify the developer of the application.
B) To ensure that the application's preferences do not conflict with similar applications.
C) To track the installation date of the application.
D) To encrypt the application's data.
E) To manage license keys for the application.
Correct Answer: B) To ensure that the application's preferences are not going to
conflict with similar applications.
Rationale: The provided text explains, "AppID Each application has a unique id, but
they are not unique to the system. Used to ensure that the application's
preferences are not going to conflict with similar applications."
Question 6
Which log file records events specifically logged by applications, such as a database access
failure?
A) Security Log.
B) System Log.
C) Application Log.
D) Services Logs.
E) WLAN-AutoConfig Log.
Correct Answer: C) Application Log.
Rationale: The provided text states, "Application Log Records events logged by
applications. ex: failure of MS SQL to access a database".
, Question 7
What does the Audit Removable Storage setting log?
A) Only the connection of a removable device.
B) Every interaction with a removable device by a user.
C) Only data written to removable storage.
D) Only data read from removable storage.
E) The type of removable device connected.
Correct Answer: B) Every interaction with removable device by user.
Rationale: The provided text states, "Audit Removable Storage Logs every
interaction with removable device by user."
Question 8
Automatic Destinations contain a list of applications sorted by AppID and can be used to:
A) Encrypt user data.
B) Map the history of an application from its first use.
C) Restore deleted files.
D) Manage network connections.
E) Monitor system performance.
Correct Answer: B) Map the history of the application from its first use.
Rationale: The provided text states, "Automatic Destinations Contains a list of
application sorted by AppID. Can be used to map the history of the application
from its first use."
Question 9
What is a key forensic use of the Autostart list?
