SANS 500 ACTUAL EXAM
NEWEST
1.
Which Windows artifact records user logon and logoff activity?
A. $MFT
B. SAM hive
C. Security Event Log
D. NTUSER.DAT
✅ Answer: C
,Explanation: The Windows Security Event Log (Security.evtx) stores Event IDs like
4624 (logon) and 4634 (logoff), crucial for tracking user authentication activity.
2.
Where are the timestamps for file creation, modification, and access stored in NTFS?
A. Registry hive
B. $LogFile
C. $MFT entries
D. Prefetch folder
✅ Answer: C
Explanation: The NTFS $MFT (Master File Table) stores metadata for every file,
including four standard timestamps (MACB: Modified, Accessed, Created, Born).
3.
Which of the following is found in the UserAssist key?
A. Executed programs
B. Network shares
C. Browser cache
D. File system timestamps
✅ Answer: A
Explanation: The UserAssist key in the user’s NTUSER.DAT contains ROT13-encoded
entries tracking GUI-based program execution.
4.
The Prefetch files are primarily used to:
A. Track command-line usage
B. Improve application startup performance
,C. Log network traffic
D. Store deleted file data
✅ Answer: B
Explanation: Prefetch files (.pf) help Windows optimize app loading and contain
execution counts and last run times useful for forensic timelines.
5.
What information does the RecentApps key (Windows 10+) provide?
A. Recent USB devices
B. Network logons
C. Application usage with timestamps
D. System crash reports
✅ Answer: C
Explanation: RecentApps in the NTUSER.DAT hive stores data about applications
recently run, including the executable name and timestamps.
6.
Where can you find data about recently connected USB devices?
A. SYSTEM hive → Enum\USBSTOR
B. SOFTWARE hive → Run key
C. SAM hive → User accounts
D. Prefetch folder
✅ Answer: A
Explanation: SYSTEM\CurrentControlSet\Enum\USBSTOR lists details about
connected USB devices, including serial numbers and last connection times.
7.
, Which tool or command can parse the Master File Table?
A. regedit.exe
B. logparser.exe
C. MFTECmd.exe
D. netstat.exe
✅ Answer: C
Explanation: MFTECmd (from Eric Zimmerman’s suite) extracts and interprets MFT
data, including file paths, timestamps, and record attributes.
8.
Event ID 4624 in the Security log indicates:
A. Account lockout
B. Failed logon attempt
C. Successful logon
D. Logoff
✅ Answer: C
Explanation: Event ID 4624 marks a successful user logon to the system.
9.
What is the function of the $UsnJrnl file in NTFS?
A. Logs all USB insertions
B. Records changes to files and directories
C. Stores browser history
D. Contains registry backups
✅ Answer: B
NEWEST
1.
Which Windows artifact records user logon and logoff activity?
A. $MFT
B. SAM hive
C. Security Event Log
D. NTUSER.DAT
✅ Answer: C
,Explanation: The Windows Security Event Log (Security.evtx) stores Event IDs like
4624 (logon) and 4634 (logoff), crucial for tracking user authentication activity.
2.
Where are the timestamps for file creation, modification, and access stored in NTFS?
A. Registry hive
B. $LogFile
C. $MFT entries
D. Prefetch folder
✅ Answer: C
Explanation: The NTFS $MFT (Master File Table) stores metadata for every file,
including four standard timestamps (MACB: Modified, Accessed, Created, Born).
3.
Which of the following is found in the UserAssist key?
A. Executed programs
B. Network shares
C. Browser cache
D. File system timestamps
✅ Answer: A
Explanation: The UserAssist key in the user’s NTUSER.DAT contains ROT13-encoded
entries tracking GUI-based program execution.
4.
The Prefetch files are primarily used to:
A. Track command-line usage
B. Improve application startup performance
,C. Log network traffic
D. Store deleted file data
✅ Answer: B
Explanation: Prefetch files (.pf) help Windows optimize app loading and contain
execution counts and last run times useful for forensic timelines.
5.
What information does the RecentApps key (Windows 10+) provide?
A. Recent USB devices
B. Network logons
C. Application usage with timestamps
D. System crash reports
✅ Answer: C
Explanation: RecentApps in the NTUSER.DAT hive stores data about applications
recently run, including the executable name and timestamps.
6.
Where can you find data about recently connected USB devices?
A. SYSTEM hive → Enum\USBSTOR
B. SOFTWARE hive → Run key
C. SAM hive → User accounts
D. Prefetch folder
✅ Answer: A
Explanation: SYSTEM\CurrentControlSet\Enum\USBSTOR lists details about
connected USB devices, including serial numbers and last connection times.
7.
, Which tool or command can parse the Master File Table?
A. regedit.exe
B. logparser.exe
C. MFTECmd.exe
D. netstat.exe
✅ Answer: C
Explanation: MFTECmd (from Eric Zimmerman’s suite) extracts and interprets MFT
data, including file paths, timestamps, and record attributes.
8.
Event ID 4624 in the Security log indicates:
A. Account lockout
B. Failed logon attempt
C. Successful logon
D. Logoff
✅ Answer: C
Explanation: Event ID 4624 marks a successful user logon to the system.
9.
What is the function of the $UsnJrnl file in NTFS?
A. Logs all USB insertions
B. Records changes to files and directories
C. Stores browser history
D. Contains registry backups
✅ Answer: B
