SANS 500 Exam – GIAC Security Essentials (GSEC)
Certification Prep & Study Guide|| GRADED A+||
LATEST UPDATE 2025/26
Alternate Data Streams (ADS) -CORRECTANSWER Alternative content for a file that
exists by creating additional data pointers within the same NTFS file. Basically the
presence of a second or subsequent data stream. Zone.Identifier is an example of an
ADS.
AMCACHE.HVE -CORRECTANSWER Utilized for the internal application compatibility
capability that allows for Windows to run older executables found from earlier iterations
of their OS.
AppCompatCache -CORRECTANSWER Tracks the executable file's last modification
date, file path, and if it was executed. Windows looks at this key to figure out if a
program needs shimming for compatibility.
AppData Folder -CORRECTANSWER Contains custom settings and other information
needed by applications. Contains your Local, LocalLow, Roaming folders. For example,
Web browser bookmarks and cache.
AppID -CORRECTANSWER Each application has a unique id, but they are not unique
to the system. Used to ensure that the application's preferences are not going to conflict
with similar applications. Used in jumplists, in both Custom and Automatic.
,Application Log -CORRECTANSWER Records events logged by applications. ex:
failure of MS SQL to access a database
Audit Removable Storage -CORRECTANSWER Logs every interaction with removable
device by user.
Automatic Destinations -CORRECTANSWER Contains a list of application sorted by
AppID. Can be used to map the history of the application from its first use.
Autostart -CORRECTANSWER Lists the programs that run at system boot. Useful to
find malware on a machine that installs on boot, such as a rootkit.
Background Activity Monitor (BAM) -CORRECTANSWER This key is used in
conjunction with the DAM key to record the path of the executable and the last date/time
executed.
BagMRU -CORRECTANSWER Based on the keys that are here, you can tell which
directories were opened/closed during a time period.
Bookmarks -CORRECTANSWER Created by the user and are shortcuts to websites
that are frequently visited or saved for later. They can also contain user account, URL,
URL parameters, page title, creation date, and last used date.
,Browser Forensics -CORRECTANSWER History files, browser cache, and cookies
make up the bulk of browser artifacts. You can find the websites a user visited and how
many times they visited and when, saved websites, downloaded files, usernames, and
what the user searched for.
BSSID -CORRECTANSWER (Basic Service Set ID) the MAC address of a base station,
used to identify it to host stations.
Compliance Search -CORRECTANSWER Powershell cmdlet used for eDiscovery for
nearly any kind of search.
Connected Standby -CORRECTANSWER In Windows 8, systems with a SSD could
take advantage of this new low-power mode. Was expanded upon in Windows 10 with
Modern Standby.
CurrentControlSet -CORRECTANSWER Identifies which control set is considered the
Current one. Contains system config settings needed to control system boot, like the
driver and service information. ControlSet001 is typically the set you just booted into the
computer with. It is usually the most up to date. ControlSet002 is the "Last Known
Good" version, if something drastic happened.
, Custom Destinations -CORRECTANSWER Created by each application and there is
custom. Intended to present content that the application has deemed significant based
on either previous usage of the app or through an action that has indicated that an item
is of importance to the user.
Data Stream Carving -CORRECTANSWER The carving of small fragments of a file, not
the whole file. Fragments can be pulled from memory, unallocated space, and allocated
database files. Ex: URLs, chat sessions, emails, encryption keys,...
DEAD System - Memory Acquisition -CORRECTANSWER You can analysis the
hiberfil.sys by copying it from the root of the system drive. memory.dmp is a crash dump
file that can also be used if a full crash dump was taken. pagefile.sys is not a complete
copy of RAM, but can still provide parts of memory that were paged out to disk.
Desktop Activity Monitor (DAM) -CORRECTANSWER Used in conjunction with the
BAM key to record the path of the executable and the last date/time executed. The DAM
is present on system that have Connected Standby present.
DOMStore -CORRECTANSWER This is where Web Store files are stored in IE/Edge.
Set up in a similar fashion to cache. WebCacheV*.dat file manages the DOMStore
filenames and the owning sites. It includes creation and last access timestamps for Web
Storage artifacts.
Certification Prep & Study Guide|| GRADED A+||
LATEST UPDATE 2025/26
Alternate Data Streams (ADS) -CORRECTANSWER Alternative content for a file that
exists by creating additional data pointers within the same NTFS file. Basically the
presence of a second or subsequent data stream. Zone.Identifier is an example of an
ADS.
AMCACHE.HVE -CORRECTANSWER Utilized for the internal application compatibility
capability that allows for Windows to run older executables found from earlier iterations
of their OS.
AppCompatCache -CORRECTANSWER Tracks the executable file's last modification
date, file path, and if it was executed. Windows looks at this key to figure out if a
program needs shimming for compatibility.
AppData Folder -CORRECTANSWER Contains custom settings and other information
needed by applications. Contains your Local, LocalLow, Roaming folders. For example,
Web browser bookmarks and cache.
AppID -CORRECTANSWER Each application has a unique id, but they are not unique
to the system. Used to ensure that the application's preferences are not going to conflict
with similar applications. Used in jumplists, in both Custom and Automatic.
,Application Log -CORRECTANSWER Records events logged by applications. ex:
failure of MS SQL to access a database
Audit Removable Storage -CORRECTANSWER Logs every interaction with removable
device by user.
Automatic Destinations -CORRECTANSWER Contains a list of application sorted by
AppID. Can be used to map the history of the application from its first use.
Autostart -CORRECTANSWER Lists the programs that run at system boot. Useful to
find malware on a machine that installs on boot, such as a rootkit.
Background Activity Monitor (BAM) -CORRECTANSWER This key is used in
conjunction with the DAM key to record the path of the executable and the last date/time
executed.
BagMRU -CORRECTANSWER Based on the keys that are here, you can tell which
directories were opened/closed during a time period.
Bookmarks -CORRECTANSWER Created by the user and are shortcuts to websites
that are frequently visited or saved for later. They can also contain user account, URL,
URL parameters, page title, creation date, and last used date.
,Browser Forensics -CORRECTANSWER History files, browser cache, and cookies
make up the bulk of browser artifacts. You can find the websites a user visited and how
many times they visited and when, saved websites, downloaded files, usernames, and
what the user searched for.
BSSID -CORRECTANSWER (Basic Service Set ID) the MAC address of a base station,
used to identify it to host stations.
Compliance Search -CORRECTANSWER Powershell cmdlet used for eDiscovery for
nearly any kind of search.
Connected Standby -CORRECTANSWER In Windows 8, systems with a SSD could
take advantage of this new low-power mode. Was expanded upon in Windows 10 with
Modern Standby.
CurrentControlSet -CORRECTANSWER Identifies which control set is considered the
Current one. Contains system config settings needed to control system boot, like the
driver and service information. ControlSet001 is typically the set you just booted into the
computer with. It is usually the most up to date. ControlSet002 is the "Last Known
Good" version, if something drastic happened.
, Custom Destinations -CORRECTANSWER Created by each application and there is
custom. Intended to present content that the application has deemed significant based
on either previous usage of the app or through an action that has indicated that an item
is of importance to the user.
Data Stream Carving -CORRECTANSWER The carving of small fragments of a file, not
the whole file. Fragments can be pulled from memory, unallocated space, and allocated
database files. Ex: URLs, chat sessions, emails, encryption keys,...
DEAD System - Memory Acquisition -CORRECTANSWER You can analysis the
hiberfil.sys by copying it from the root of the system drive. memory.dmp is a crash dump
file that can also be used if a full crash dump was taken. pagefile.sys is not a complete
copy of RAM, but can still provide parts of memory that were paged out to disk.
Desktop Activity Monitor (DAM) -CORRECTANSWER Used in conjunction with the
BAM key to record the path of the executable and the last date/time executed. The DAM
is present on system that have Connected Standby present.
DOMStore -CORRECTANSWER This is where Web Store files are stored in IE/Edge.
Set up in a similar fashion to cache. WebCacheV*.dat file manages the DOMStore
filenames and the owning sites. It includes creation and last access timestamps for Web
Storage artifacts.
