SANS 500 Exam 2026 Questions and
Answers
Alternate Data Streams (ADS) - Correct answer-Alternative content for a file that
exists by creating additional data pointers within the same NTFS file. Basically the
presence of a second or subsequent data stream. Zone.Identifier is an example of
an ADS.
AMCACHE.HVE - Correct answer-Utilized for the internal application
compatibility capability that allows for Windows to run older executables found
from earlier iterations of their OS.
AppCompatCache - Correct answer-Tracks the executable file's last modification
date, file path, and if it was executed. Windows looks at this key to figure out if a
program needs shimming for compatibility.
AppData Folder - Correct answer-Contains custom settings and other information
needed by applications. Contains your Local, LocalLow, Roaming folders. For
example, Web browser bookmarks and cache.
©COPYRIGHT 2025, ALL RIGHTS RESERVED 1
,AppID - Correct answer-Each application has a unique id, but they are not unique
to the system. Used to ensure that the application's preferences are not going to
conflict with similar applications. Used in jumplists, in both Custom and
Automatic.
Application Log - Correct answer-Records events logged by applications. ex:
failure of MS SQL to access a database
Audit Removable Storage - Correct answer-Logs every interaction with removable
device by user.
Automatic Destinations - Correct answer-Contains a list of application sorted by
AppID. Can be used to map the history of the application from its first use.
Autostart - Correct answer-Lists the programs that run at system boot. Useful to
find malware on a machine that installs on boot, such as a rootkit.
Background Activity Monitor (BAM) - Correct answer-This key is used in
conjunction with the DAM key to record the path of the executable and the last
date/time executed.
BagMRU - Correct answer-Based on the keys that are here, you can tell which
directories were opened/closed during a time period.
©COPYRIGHT 2025, ALL RIGHTS RESERVED 2
,Bookmarks - Correct answer-Created by the user and are shortcuts to websites that
are frequently visited or saved for later. They can also contain user account, URL,
URL parameters, page title, creation date, and last used date.
Browser Forensics - Correct answer-History files, browser cache, and cookies
make up the bulk of browser artifacts. You can find the websites a user visited and
how many times they visited and when, saved websites, downloaded files,
usernames, and what the user searched for.
BSSID - Correct answer-(Basic Service Set ID) the MAC address of a base station,
used to identify it to host stations.
Compliance Search - Correct answer-Powershell cmdlet used for eDiscovery for
nearly any kind of search.
Connected Standby - Correct answer-In Windows 8, systems with a SSD could
take advantage of this new low-power mode. Was expanded upon in Windows 10
with Modern Standby.
CurrentControlSet - Correct answer-Identifies which control set is considered the
Current one. Contains system config settings needed to control system boot, like
the driver and service information. ControlSet001 is typically the set you just
©COPYRIGHT 2025, ALL RIGHTS RESERVED 3
, booted into the computer with. It is usually the most up to date. ControlSet002 is
the "Last Known Good" version, if something drastic happened.
Custom Destinations - Correct answer-Created by each application and there is
custom. Intended to present content that the application has deemed significant
based on either previous usage of the app or through an action that has indicated
that an item is of importance to the user.
Data Stream Carving - Correct answer-The carving of small fragments of a file, not
the whole file. Fragments can be pulled from memory, unallocated space, and
allocated database files. Ex: URLs, chat sessions, emails, encryption keys,...
DEAD System - Memory Acquisition - Correct answer-You can analysis the
hiberfil.sys by copying it from the root of the system drive. memory.dmp is a crash
dump file that can also be used if a full crash dump was taken. pagefile.sys is not a
complete copy of RAM, but can still provide parts of memory that were paged out
to disk.
Desktop Activity Monitor (DAM) - Correct answer-Used in conjunction with the
BAM key to record the path of the executable and the last date/time executed. The
DAM is present on system that have Connected Standby present.
©COPYRIGHT 2025, ALL RIGHTS RESERVED 4
Answers
Alternate Data Streams (ADS) - Correct answer-Alternative content for a file that
exists by creating additional data pointers within the same NTFS file. Basically the
presence of a second or subsequent data stream. Zone.Identifier is an example of
an ADS.
AMCACHE.HVE - Correct answer-Utilized for the internal application
compatibility capability that allows for Windows to run older executables found
from earlier iterations of their OS.
AppCompatCache - Correct answer-Tracks the executable file's last modification
date, file path, and if it was executed. Windows looks at this key to figure out if a
program needs shimming for compatibility.
AppData Folder - Correct answer-Contains custom settings and other information
needed by applications. Contains your Local, LocalLow, Roaming folders. For
example, Web browser bookmarks and cache.
©COPYRIGHT 2025, ALL RIGHTS RESERVED 1
,AppID - Correct answer-Each application has a unique id, but they are not unique
to the system. Used to ensure that the application's preferences are not going to
conflict with similar applications. Used in jumplists, in both Custom and
Automatic.
Application Log - Correct answer-Records events logged by applications. ex:
failure of MS SQL to access a database
Audit Removable Storage - Correct answer-Logs every interaction with removable
device by user.
Automatic Destinations - Correct answer-Contains a list of application sorted by
AppID. Can be used to map the history of the application from its first use.
Autostart - Correct answer-Lists the programs that run at system boot. Useful to
find malware on a machine that installs on boot, such as a rootkit.
Background Activity Monitor (BAM) - Correct answer-This key is used in
conjunction with the DAM key to record the path of the executable and the last
date/time executed.
BagMRU - Correct answer-Based on the keys that are here, you can tell which
directories were opened/closed during a time period.
©COPYRIGHT 2025, ALL RIGHTS RESERVED 2
,Bookmarks - Correct answer-Created by the user and are shortcuts to websites that
are frequently visited or saved for later. They can also contain user account, URL,
URL parameters, page title, creation date, and last used date.
Browser Forensics - Correct answer-History files, browser cache, and cookies
make up the bulk of browser artifacts. You can find the websites a user visited and
how many times they visited and when, saved websites, downloaded files,
usernames, and what the user searched for.
BSSID - Correct answer-(Basic Service Set ID) the MAC address of a base station,
used to identify it to host stations.
Compliance Search - Correct answer-Powershell cmdlet used for eDiscovery for
nearly any kind of search.
Connected Standby - Correct answer-In Windows 8, systems with a SSD could
take advantage of this new low-power mode. Was expanded upon in Windows 10
with Modern Standby.
CurrentControlSet - Correct answer-Identifies which control set is considered the
Current one. Contains system config settings needed to control system boot, like
the driver and service information. ControlSet001 is typically the set you just
©COPYRIGHT 2025, ALL RIGHTS RESERVED 3
, booted into the computer with. It is usually the most up to date. ControlSet002 is
the "Last Known Good" version, if something drastic happened.
Custom Destinations - Correct answer-Created by each application and there is
custom. Intended to present content that the application has deemed significant
based on either previous usage of the app or through an action that has indicated
that an item is of importance to the user.
Data Stream Carving - Correct answer-The carving of small fragments of a file, not
the whole file. Fragments can be pulled from memory, unallocated space, and
allocated database files. Ex: URLs, chat sessions, emails, encryption keys,...
DEAD System - Memory Acquisition - Correct answer-You can analysis the
hiberfil.sys by copying it from the root of the system drive. memory.dmp is a crash
dump file that can also be used if a full crash dump was taken. pagefile.sys is not a
complete copy of RAM, but can still provide parts of memory that were paged out
to disk.
Desktop Activity Monitor (DAM) - Correct answer-Used in conjunction with the
BAM key to record the path of the executable and the last date/time executed. The
DAM is present on system that have Connected Standby present.
©COPYRIGHT 2025, ALL RIGHTS RESERVED 4
