SANS 500 Exam 2024/2025 fully solved &
updated
Alternate Data Streams (ADS) - ANSWER-Alternative content for a file that exists
by creating additional data pointers within the same NTFS file. Basically the
presence of a second or subsequent data stream. Zone.Identifier is an example of
an ADS.
AMCACHE.HVE - ANSWER-Utilized for the internal application compatibility
capability that allows for Windows to run older executables found from earlier
iterations of their OS.
AppCompatCache - ANSWER-Tracks the executable file's last modification date,
file path, and if it was executed. Windows looks at this key to figure out if a
program needs shimming for compatibility.
AppData Folder - ANSWER-Contains custom settings and other information
needed by applications. Contains your Local, LocalLow, Roaming folders. For
example, Web browser bookmarks and cache.
AppID - ANSWER-Each application has a unique id, but they are not unique to the
system. Used to ensure that the application's preferences are not going to
conflict with similar applications. Used in jumplists, in both Custom and
Automatic.
Application Log - ANSWER-Records events logged by applications. ex: failure of
MS SQL to access a database
Audit Removable Storage - ANSWER-Logs every interaction with removable
device by user.
,Automatic Destinations - ANSWER-Contains a list of application sorted by AppID.
Can be used to map the history of the application from its first use.
Autostart - ANSWER-Lists the programs that run at system boot. Useful to find
malware on a machine that installs on boot, such as a rootkit.
Background Activity Monitor (BAM) - ANSWER-This key is used in conjunction
with the DAM key to record the path of the executable and the last date/time
executed.
BagMRU - ANSWER-Based on the keys that are here, you can tell which
directories were opened/closed during a time period.
Bookmarks - ANSWER-Created by the user and are shortcuts to websites that are
frequently visited or saved for later. They can also contain user account, URL,
URL parameters, page title, creation date, and last used date.
Browser Forensics - ANSWER-History files, browser cache, and cookies make up
the bulk of browser artifacts. You can find the websites a user visited and how
many times they visited and when, saved websites, downloaded files, usernames,
and what the user searched for.
BSSID - ANSWER-(Basic Service Set ID) the MAC address of a base station, used
to identify it to host stations.
Compliance Search - ANSWER-Powershell cmdlet used for eDiscovery for nearly
any kind of search.
Connected Standby - ANSWER-In Windows 8, systems with a SSD could take
advantage of this new low-power mode. Was expanded upon in Windows 10 with
Modern Standby.
CurrentControlSet - ANSWER-Identifies which control set is considered the
Current one. Contains system config settings needed to control system boot, like
the driver and service information. ControlSet001 is typically the set you just
booted into the computer with. It is usually the most up to date. ControlSet002 is
the "Last Known Good" version, if something drastic happened.
Custom Destinations - ANSWER-Created by each application and there is custom.
Intended to present content that the application has deemed significant based on
, either previous usage of the app or through an action that has indicated that an
item is of importance to the user.
Data Stream Carving - ANSWER-The carving of small fragments of a file, not the
whole file. Fragments can be pulled from memory, unallocated space, and
allocated database files. Ex: URLs, chat sessions, emails, encryption keys,...
DEAD System - Memory Acquisition - ANSWER-You can analysis the hiberfil.sys
by copying it from the root of the system drive. memory.dmp is a crash dump file
that can also be used if a full crash dump was taken. pagefile.sys is not a
complete copy of RAM, but can still provide parts of memory that were paged out
to disk.
Desktop Activity Monitor (DAM) - ANSWER-Used in conjunction with the BAM key
to record the path of the executable and the last date/time executed. The DAM is
present on system that have Connected Standby present.
DOMStore - ANSWER-This is where Web Store files are stored in IE/Edge. Set up
in a similar fashion to cache. WebCacheV*.dat file manages the DOMStore
filenames and the owning sites. It includes creation and last access timestamps
for Web Storage artifacts.
Exchange Database (EDB) - ANSWER-Container for user Microsoft Exchange
mailboxes. Stored in ESE format.
Email Header - ANSWER-Required component. Provides the envelope that a
message relies on for getting it to the destination. Only completely reliable
information from the Mail Transfer Agent that you own or trust.
EMDMgmt - ANSWER-Traditionally used for ReadyBoost to remember whether it
passed inspection. Each key in it provides the USB device manufacturer, ID,
Serial Number, Volume Name, and Volume Serial Number.
ESE Database - ANSWER-A proprietary Microsoft database format. Can be broken
up into multiple storage groups, each able to contain multiple database files.
Exif Data - ANSWER-Also called metadata, this is information electronically
attached to each image file, such as shutter speed, aperture, ISO, lens length,
white balance, and other settings used when taking the picture.