SANS 500 Questions And Answers With Latest Updates
0 view 0 purchase
Course
SANS 500
Institution
SANS 500
SANS 500 Questions And Answers With Latest Updates
Why is it important to collect volatile data during incident response ANS Information could be lost if the system is powered off or rebooted
You are responding to an incident. The suspect was using his Windows Desktop Computer with Firefox and...
SANS 500 Questions And Answers With Latest
Updates
Why is it important to collect volatile data during incident response ANS Information could be
lost if the system is powered off or rebooted
You are responding to an incident. The suspect was using his Windows Desktop Computer with
Firefox and "Private Browsing" enabled. The attack was interrupted when it was detected, and the
browser windows are still open. What can you do to capture the most in-depth data from the suspect's
browser session ANS Collect the contents of the computer's RAM
How is a user mapped to contents of the recycle bin? ANS SID
How does PhotRec Recover deleted files from a host? ANS Searches free space looking for file
signatures that match specific file types
You are responding to an incident in progress on a workstation, Why is it important to check the
presence of encryption on the suspect workstation before turning it off? ANS Data on mounted
volumes and decryption keys stored as volatile data may be lost
How can cookies.sqlite linked to a specific user account ANS The DB file is stored in the
corresponding profile folder
You are reviewing the contents of a Windows shortcut [.Ink file] pointing to C:\SANS.JPG. Which of
the following metadata can you expect to find? ANS The last access time of C:\SANS.JPG
Which of the following must you remember when reviewing Windows registry data in your timeline
ANS Registry keys store only a 'LastWrite' time stamp and do not indicate when they were
created, accessed or deleted
What information can be deduced by the following artifact?
System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces ANS If an interface GUID was
used to connect to the internet over 3G
, Which part of the LNK file reveals the shell path to the target file ANS PIDL - The PIDL section
of a LNK file, follow the header, it contains a shell path (a PIDL0 to the target file
In addition to the Web Notes Folder, which location contains Web Notes browser artifacts? ANS
Spartan.edb
Which event will create a new directory in C:\System Volume Information\? ANS Software
installation. There are several ways to create a new volume shadow copy - Software installation,
System snapshot, Manual snapshot
You are examining an image of a Windows system. In the C:\Windows\Prefetch directory you find an
entry for "EvilBin.Exe". Assuming the file was legitimately created by the operating system, what
does this file's existence mean to you, as the forensic investigator? ANS EvilBin.Exe has been
run at least once on this system
What does the unique GUID assigned to each sub-key of the UserAssist registry entry represent?
ANS Method used to execute and application
Which is the advantage offered by server-based e-mail forensic tools when compared to standard
forensic suites? ANS They allow simultaneous searches across multiple user accounts
Which Windows 7 event log records installation and update information for Windows security
updates and patches ANS Setup.log records installation and update information on all
applications
You are participating in an e-mail investigation for a company using Microsoft Exchange with
Outlook clients. Which of the following would reduce the results returned in a keyword search of a
user's mailbox? ANS The organization's email clients have S/MIME support enabled
Network logs show that Bob accessed \\10.10.23.47\Financial\Salary two weeks past. Bob claims he
never intentionally went to the network share, that he must've clicked on a link that mapped to that
location. Which registry key on Bob's host will show if he knew the network location of the salary
folder? ANS TypePaths
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller Labtech. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $11.99. You're not tied to anything after your purchase.