SANS 500 EXAM WITH FREQUENTLY
TESTED QUESTIONS and correct
ANSWERS|ALREADY A
GRADED|GUARANTEED PASS|LATEST
UPDATE 2025.
AppData Folder - CORRECT ANSWER- Contains custom settings and other information needed by
applications. Contains your Local, LocalLow, Roaming folders. For example, Web browser
bookmarks and cache.
AppID - CORRECT ANSWER- Each application has a unique id, but they are not unique to the
system. Used to ensure that the application's preferences are not going to conflict with similar
applications. Used in jumplists, in both Custom and Automatic.
Application Log - CORRECT ANSWER- Records events logged by applications. ex: failure of MS SQL
to access a database
Audit Removable Storage - CORRECT ANSWER- Logs every interaction with removable device by
user.
Alternate Data Streams (ADS) - CORRECT ANSWER- Alternative content for a file that exists by
creating additional data pointers within the same NTFS file. Basically the presence of a second
or subsequent data stream. Zone.Identifier is an example of an ADS.
,AMCACHE.HVE - CORRECT ANSWER- Utilized for the internal application compatibility capability
that allows for Windows to run older executables found from earlier iterations of their OS.
AppCompatCache - CORRECT ANSWER- Tracks the executable file's last modification date, file path,
and if it was executed. Windows looks at this key to figure out if a program needs shimming for
compatibility.
Automatic Destinations - CORRECT ANSWER- Contains a list of application sorted by AppID. Can be
used to map the history of the application from its first use.
Autostart - CORRECT ANSWER- Lists the programs that run at system boot. Useful to find malware
on a machine that installs on boot, such as a rootkit.
Background Activity Monitor (BAM) - CORRECT ANSWER- This key is used in conjunction with the
DAM key to record the path of the executable and the last date/time executed.
BagMRU - CORRECT ANSWER- Based on the keys that are here, you can tell which directories were
opened/closed during a time period.
Bookmarks - CORRECT ANSWER- Created by the user and are shortcuts to websites that are
frequently visited or saved for later. They can also contain user account, URL, URL parameters,
page title, creation date, and last used date.
Browser Forensics - CORRECT ANSWER- History files, browser cache, and cookies make up the bulk
of browser artifacts. You can find the websites a user visited and how many times they visited
and when, saved websites, downloaded files, usernames, and what the user searched for.
BSSID - CORRECT ANSWER- (Basic Service Set ID) the MAC address of a base station, used to
identify it to host stations.
, Compliance Search - CORRECT ANSWER- Powershell cmdlet used for eDiscovery for nearly any kind
of search.
Connected Standby - CORRECT ANSWER- In Windows 8, systems with a SSD could take advantage
of this new low-power mode. Was expanded upon in Windows 10 with Modern Standby.
CurrentControlSet - CORRECT ANSWER- Identifies which control set is considered the Current one.
Contains system config settings needed to control system boot, like the driver and service
information. ControlSet001 is typically the set you just booted into the computer with. It is
usually the most up to date. ControlSet002 is the "Last Known Good" version, if something
drastic happened.
Custom Destinations - CORRECT ANSWER- Created by each application and there is custom.
Intended to present content that the application has deemed significant based on either
previous usage of the app or through an action that has indicated that an item is of importance
to the user.
Data Stream Carving - CORRECT ANSWER- The carving of small fragments of a file, not the whole
file. Fragments can be pulled from memory, unallocated space, and allocated database files. Ex:
URLs, chat sessions, emails, encryption keys,...
DEAD System - Memory Acquisition - CORRECT ANSWER- You can analysis the hiberfil.sys by
copying it from the root of the system drive. memory.dmp is a crash dump file that can also be
used if a full crash dump was taken. pagefile.sys is not a complete copy of RAM, but can still
provide parts of memory that were paged out to disk.
Desktop Activity Monitor (DAM) - CORRECT ANSWER- Used in conjunction with the BAM key to
record the path of the executable and the last date/time executed. The DAM is present on
system that have Connected Standby present.
TESTED QUESTIONS and correct
ANSWERS|ALREADY A
GRADED|GUARANTEED PASS|LATEST
UPDATE 2025.
AppData Folder - CORRECT ANSWER- Contains custom settings and other information needed by
applications. Contains your Local, LocalLow, Roaming folders. For example, Web browser
bookmarks and cache.
AppID - CORRECT ANSWER- Each application has a unique id, but they are not unique to the
system. Used to ensure that the application's preferences are not going to conflict with similar
applications. Used in jumplists, in both Custom and Automatic.
Application Log - CORRECT ANSWER- Records events logged by applications. ex: failure of MS SQL
to access a database
Audit Removable Storage - CORRECT ANSWER- Logs every interaction with removable device by
user.
Alternate Data Streams (ADS) - CORRECT ANSWER- Alternative content for a file that exists by
creating additional data pointers within the same NTFS file. Basically the presence of a second
or subsequent data stream. Zone.Identifier is an example of an ADS.
,AMCACHE.HVE - CORRECT ANSWER- Utilized for the internal application compatibility capability
that allows for Windows to run older executables found from earlier iterations of their OS.
AppCompatCache - CORRECT ANSWER- Tracks the executable file's last modification date, file path,
and if it was executed. Windows looks at this key to figure out if a program needs shimming for
compatibility.
Automatic Destinations - CORRECT ANSWER- Contains a list of application sorted by AppID. Can be
used to map the history of the application from its first use.
Autostart - CORRECT ANSWER- Lists the programs that run at system boot. Useful to find malware
on a machine that installs on boot, such as a rootkit.
Background Activity Monitor (BAM) - CORRECT ANSWER- This key is used in conjunction with the
DAM key to record the path of the executable and the last date/time executed.
BagMRU - CORRECT ANSWER- Based on the keys that are here, you can tell which directories were
opened/closed during a time period.
Bookmarks - CORRECT ANSWER- Created by the user and are shortcuts to websites that are
frequently visited or saved for later. They can also contain user account, URL, URL parameters,
page title, creation date, and last used date.
Browser Forensics - CORRECT ANSWER- History files, browser cache, and cookies make up the bulk
of browser artifacts. You can find the websites a user visited and how many times they visited
and when, saved websites, downloaded files, usernames, and what the user searched for.
BSSID - CORRECT ANSWER- (Basic Service Set ID) the MAC address of a base station, used to
identify it to host stations.
, Compliance Search - CORRECT ANSWER- Powershell cmdlet used for eDiscovery for nearly any kind
of search.
Connected Standby - CORRECT ANSWER- In Windows 8, systems with a SSD could take advantage
of this new low-power mode. Was expanded upon in Windows 10 with Modern Standby.
CurrentControlSet - CORRECT ANSWER- Identifies which control set is considered the Current one.
Contains system config settings needed to control system boot, like the driver and service
information. ControlSet001 is typically the set you just booted into the computer with. It is
usually the most up to date. ControlSet002 is the "Last Known Good" version, if something
drastic happened.
Custom Destinations - CORRECT ANSWER- Created by each application and there is custom.
Intended to present content that the application has deemed significant based on either
previous usage of the app or through an action that has indicated that an item is of importance
to the user.
Data Stream Carving - CORRECT ANSWER- The carving of small fragments of a file, not the whole
file. Fragments can be pulled from memory, unallocated space, and allocated database files. Ex:
URLs, chat sessions, emails, encryption keys,...
DEAD System - Memory Acquisition - CORRECT ANSWER- You can analysis the hiberfil.sys by
copying it from the root of the system drive. memory.dmp is a crash dump file that can also be
used if a full crash dump was taken. pagefile.sys is not a complete copy of RAM, but can still
provide parts of memory that were paged out to disk.
Desktop Activity Monitor (DAM) - CORRECT ANSWER- Used in conjunction with the BAM key to
record the path of the executable and the last date/time executed. The DAM is present on
system that have Connected Standby present.
