2
SANS 500 Exam with precise detailed solutions || || || || || ||
Alternate Data Streams (ADS) - ✔✔Alternative content for a file that exists by creating
|| || || || || || || || || || || || || ||
additional data pointers within the same NTFS file. Basically the presence of a second or
|| || || || || || || || || || || || || || ||
subsequent data stream. Zone.Identifier is an example of an ADS. || || || || || || || || ||
AMCACHE.HVE - ✔✔Utilized for the internal application compatibility capability that allows || || || || || || || || || || ||
for Windows to run older executables found from earlier iterations of their OS.
|| || || || || || || || || || || ||
AppCompatCache - ✔✔Tracks the executable file's last modification date, file path, and if it was || || || || || || || || || || || || || || ||
executed. Windows looks at this key to figure out if a program needs shimming for compatibility.
|| || || || || || || || || || || || || || ||
AppData Folder - ✔✔Contains custom settings and other information needed by applications.
|| || || || || || || || || || || ||
Contains your Local, LocalLow, Roaming folders. For example, Web browser bookmarks and
|| || || || || || || || || || || ||
cache.
AppID - ✔✔Each application has a unique id, but they are not unique to the system. Used to
|| || || || || || || || || || || || || || || || || ||
ensure that the application's preferences are not going to conflict with similar applications. Used
|| || || || || || || || || || || || || ||
in jumplists, in both Custom and Automatic.
|| || || || || ||
Application Log - ✔✔Records events logged by applications. ex: failure of MS SQL to access a
|| || || || || || || || || || || || || || || ||
database
Audit Removable Storage - ✔✔Logs every interaction with removable device by user.
|| || || || || || || || || || ||
Automatic Destinations - ✔✔Contains a list of application sorted by AppID. Can be used to map
|| || || || || || || || || || || || || || || ||
the history of the application from its first use.
|| || || || || || || ||
Autostart - ✔✔Lists the programs that run at system boot. Useful to find malware on a machine
|| || || || || || || || || || || || || || || || ||
that installs on boot, such as a rootkit.
|| || || || || || ||
,2
Background Activity Monitor (BAM) - ✔✔This key is used in conjunction with the DAM key to
|| || || || || || || || || || || || || || || ||
record the path of the executable and the last date/time executed.
|| || || || || || || || || ||
BagMRU - ✔✔Based on the keys that are here, you can tell which directories were opened/closed
|| || || || || || || || || || || || || || ||
during a time period.
|| || || ||
Bookmarks - ✔✔Created by the user and are shortcuts to websites that are frequently visited or
|| || || || || || || || || || || || || || || ||
saved for later. They can also contain user account, URL, URL parameters, page title, creation
|| || || || || || || || || || || || || || ||
date, and last used date.
|| || || ||
Browser Forensics - ✔✔History files, browser cache, and cookies make up the bulk of browser
|| || || || || || || || || || || || || || ||
artifacts. You can find the websites a user visited and how many times they visited and when,
|| || || || || || || || || || || || || || || || ||
saved websites, downloaded files, usernames, and what the user searched for.
|| || || || || || || || || ||
BSSID - ✔✔(Basic Service Set ID) the MAC address of a base station, used to identify it to host
|| || || || || || || || || || || || || || || || || || ||
stations.
Compliance Search - ✔✔Powershell cmdlet used for eDiscovery for nearly any kind of search.
|| || || || || || || || || || || || ||
Connected Standby - ✔✔In Windows 8, systems with a SSD could take advantage of this new
|| || || || || || || || || || || || || || || ||
low-power mode. Was expanded upon in Windows 10 with Modern Standby.
|| || || || || || || || || ||
CurrentControlSet - ✔✔Identifies which control set is considered the Current one. Contains || || || || || || || || || || || ||
system config settings needed to control system boot, like the driver and service information.
|| || || || || || || || || || || || || ||
ControlSet001 is typically the set you just booted into the computer with. It is usually the most up || || || || || || || || || || || || || || || || || ||
to date. ControlSet002 is the "Last Known Good" version, if something drastic happened.
|| || || || || || || || || || || ||
Custom Destinations - ✔✔Created by each application and there is custom. Intended to present
|| || || || || || || || || || || || || ||
content that the application has deemed significant based on either previous usage of the app or
|| || || || || || || || || || || || || || || ||
through an action that has indicated that an item is of importance to the user.
|| || || || || || || || || || || || || ||
, 2
Data Stream Carving - ✔✔The carving of small fragments of a file, not the whole file. Fragments
|| || || || || || || || || || || || || || || || ||
can be pulled from memory, unallocated space, and allocated database files. Ex: URLs, chat
|| || || || || || || || || || || || || ||
sessions, emails, encryption keys,... || || ||
DEAD System - Memory Acquisition - ✔✔You can analysis the hiberfil.sys by copying it from
|| || || || || || || || || || || || || || ||
the root of the system drive. memory.dmp is a crash dump file that can also be used if a full crash
|| || || || || || || || || || || || || || || || || || || || ||
dump was taken. pagefile.sys is not a complete copy of RAM, but can still provide parts of
|| || || || || || || || || || || || || || || || ||
memory that were paged out to disk. || || || || || ||
Desktop Activity Monitor (DAM) - ✔✔Used in conjunction with the BAM key to record the path
|| || || || || || || || || || || || || || || ||
of the executable and the last date/time executed. The DAM is present on system that have
|| || || || || || || || || || || || || || || ||
Connected Standby present. || ||
DOMStore - ✔✔This is where Web Store files are stored in IE/Edge. Set up in a similar fashion || || || || || || || || || || || || || || || || || ||
to cache. WebCacheV*.dat file manages the DOMStore filenames and the owning sites. It
|| || || || || || || || || || || || ||
includes creation and last access timestamps for Web Storage artifacts. || || || || || || || || ||
Exchange Database (EDB) - ✔✔Container for user Microsoft Exchange mailboxes. Stored in || || || || || || || || || || || ||
ESE format. ||
Email Header - ✔✔Required component. Provides the envelope that a message relies on for
|| || || || || || || || || || || || || ||
getting it to the destination. Only completely reliable information from the Mail Transfer Agent
|| || || || || || || || || || || || || ||
that you own or trust.
|| || || ||
EMDMgmt - ✔✔Traditionally used for ReadyBoost to remember whether it passed inspection. || || || || || || || || || || || ||
Each key in it provides the USB device manufacturer, ID, Serial Number, Volume Name, and
|| || || || || || || || || || || || || || ||
Volume Serial Number. || ||
ESE Database - ✔✔A proprietary Microsoft database format. Can be broken up into multiple
|| || || || || || || || || || || || || ||
storage groups, each able to contain multiple database files.
|| || || || || || || ||
SANS 500 Exam with precise detailed solutions || || || || || ||
Alternate Data Streams (ADS) - ✔✔Alternative content for a file that exists by creating
|| || || || || || || || || || || || || ||
additional data pointers within the same NTFS file. Basically the presence of a second or
|| || || || || || || || || || || || || || ||
subsequent data stream. Zone.Identifier is an example of an ADS. || || || || || || || || ||
AMCACHE.HVE - ✔✔Utilized for the internal application compatibility capability that allows || || || || || || || || || || ||
for Windows to run older executables found from earlier iterations of their OS.
|| || || || || || || || || || || ||
AppCompatCache - ✔✔Tracks the executable file's last modification date, file path, and if it was || || || || || || || || || || || || || || ||
executed. Windows looks at this key to figure out if a program needs shimming for compatibility.
|| || || || || || || || || || || || || || ||
AppData Folder - ✔✔Contains custom settings and other information needed by applications.
|| || || || || || || || || || || ||
Contains your Local, LocalLow, Roaming folders. For example, Web browser bookmarks and
|| || || || || || || || || || || ||
cache.
AppID - ✔✔Each application has a unique id, but they are not unique to the system. Used to
|| || || || || || || || || || || || || || || || || ||
ensure that the application's preferences are not going to conflict with similar applications. Used
|| || || || || || || || || || || || || ||
in jumplists, in both Custom and Automatic.
|| || || || || ||
Application Log - ✔✔Records events logged by applications. ex: failure of MS SQL to access a
|| || || || || || || || || || || || || || || ||
database
Audit Removable Storage - ✔✔Logs every interaction with removable device by user.
|| || || || || || || || || || ||
Automatic Destinations - ✔✔Contains a list of application sorted by AppID. Can be used to map
|| || || || || || || || || || || || || || || ||
the history of the application from its first use.
|| || || || || || || ||
Autostart - ✔✔Lists the programs that run at system boot. Useful to find malware on a machine
|| || || || || || || || || || || || || || || || ||
that installs on boot, such as a rootkit.
|| || || || || || ||
,2
Background Activity Monitor (BAM) - ✔✔This key is used in conjunction with the DAM key to
|| || || || || || || || || || || || || || || ||
record the path of the executable and the last date/time executed.
|| || || || || || || || || ||
BagMRU - ✔✔Based on the keys that are here, you can tell which directories were opened/closed
|| || || || || || || || || || || || || || ||
during a time period.
|| || || ||
Bookmarks - ✔✔Created by the user and are shortcuts to websites that are frequently visited or
|| || || || || || || || || || || || || || || ||
saved for later. They can also contain user account, URL, URL parameters, page title, creation
|| || || || || || || || || || || || || || ||
date, and last used date.
|| || || ||
Browser Forensics - ✔✔History files, browser cache, and cookies make up the bulk of browser
|| || || || || || || || || || || || || || ||
artifacts. You can find the websites a user visited and how many times they visited and when,
|| || || || || || || || || || || || || || || || ||
saved websites, downloaded files, usernames, and what the user searched for.
|| || || || || || || || || ||
BSSID - ✔✔(Basic Service Set ID) the MAC address of a base station, used to identify it to host
|| || || || || || || || || || || || || || || || || || ||
stations.
Compliance Search - ✔✔Powershell cmdlet used for eDiscovery for nearly any kind of search.
|| || || || || || || || || || || || ||
Connected Standby - ✔✔In Windows 8, systems with a SSD could take advantage of this new
|| || || || || || || || || || || || || || || ||
low-power mode. Was expanded upon in Windows 10 with Modern Standby.
|| || || || || || || || || ||
CurrentControlSet - ✔✔Identifies which control set is considered the Current one. Contains || || || || || || || || || || || ||
system config settings needed to control system boot, like the driver and service information.
|| || || || || || || || || || || || || ||
ControlSet001 is typically the set you just booted into the computer with. It is usually the most up || || || || || || || || || || || || || || || || || ||
to date. ControlSet002 is the "Last Known Good" version, if something drastic happened.
|| || || || || || || || || || || ||
Custom Destinations - ✔✔Created by each application and there is custom. Intended to present
|| || || || || || || || || || || || || ||
content that the application has deemed significant based on either previous usage of the app or
|| || || || || || || || || || || || || || || ||
through an action that has indicated that an item is of importance to the user.
|| || || || || || || || || || || || || ||
, 2
Data Stream Carving - ✔✔The carving of small fragments of a file, not the whole file. Fragments
|| || || || || || || || || || || || || || || || ||
can be pulled from memory, unallocated space, and allocated database files. Ex: URLs, chat
|| || || || || || || || || || || || || ||
sessions, emails, encryption keys,... || || ||
DEAD System - Memory Acquisition - ✔✔You can analysis the hiberfil.sys by copying it from
|| || || || || || || || || || || || || || ||
the root of the system drive. memory.dmp is a crash dump file that can also be used if a full crash
|| || || || || || || || || || || || || || || || || || || || ||
dump was taken. pagefile.sys is not a complete copy of RAM, but can still provide parts of
|| || || || || || || || || || || || || || || || ||
memory that were paged out to disk. || || || || || ||
Desktop Activity Monitor (DAM) - ✔✔Used in conjunction with the BAM key to record the path
|| || || || || || || || || || || || || || || ||
of the executable and the last date/time executed. The DAM is present on system that have
|| || || || || || || || || || || || || || || ||
Connected Standby present. || ||
DOMStore - ✔✔This is where Web Store files are stored in IE/Edge. Set up in a similar fashion || || || || || || || || || || || || || || || || || ||
to cache. WebCacheV*.dat file manages the DOMStore filenames and the owning sites. It
|| || || || || || || || || || || || ||
includes creation and last access timestamps for Web Storage artifacts. || || || || || || || || ||
Exchange Database (EDB) - ✔✔Container for user Microsoft Exchange mailboxes. Stored in || || || || || || || || || || || ||
ESE format. ||
Email Header - ✔✔Required component. Provides the envelope that a message relies on for
|| || || || || || || || || || || || || ||
getting it to the destination. Only completely reliable information from the Mail Transfer Agent
|| || || || || || || || || || || || || ||
that you own or trust.
|| || || ||
EMDMgmt - ✔✔Traditionally used for ReadyBoost to remember whether it passed inspection. || || || || || || || || || || || ||
Each key in it provides the USB device manufacturer, ID, Serial Number, Volume Name, and
|| || || || || || || || || || || || || || ||
Volume Serial Number. || ||
ESE Database - ✔✔A proprietary Microsoft database format. Can be broken up into multiple
|| || || || || || || || || || || || || ||
storage groups, each able to contain multiple database files.
|| || || || || || || ||
