Exam (elaborations)
SANS 500 QUESTIONS AND ANSWERS 2024
- Course
- Institution
Exam of 15 pages for the course SANS at SANS (SANS 500)
[Show more]
Content preview
SANS 500Alternate Data Streams (ADS) - answerAlternative content for a file that exists by
creating additional data pointers within the same NTFS file. Basically the presence of a
second or subsequent data stream. Zone.Identifier is an example of an ADS.
AMCACHE.HVE - answerUtilized for the internal application compatibility capability that
allows for Windows to run older executables found from earlier iterations of their OS.
AppCompatCache - answerTracks the executable file's last modification date, file path,
and if it was executed. Windows looks at this key to figure out if a program needs
shimming for compatibility.
AppData Folder - answerContains custom settings and other information needed by
applications. Contains your Local, LocalLow, Roaming folders. For example, Web
browser bookmarks and cache.
AppID - answerEach application has a unique id, but they are not unique to the system.
Used to ensure that the application's preferences are not going to conflict with similar
applications. Used in jumplists, in both Custom and Automatic.
Application Log - answerRecords events logged by applications. ex: failure of MS SQL
to access a database
Audit Removable Storage - answerLogs every interaction with removable device by
user.
Automatic Destinations - answerContains a list of application sorted by AppID. Can be
used to map the history of the application from its first use.
Autostart - answerLists the programs that run at system boot. Useful to find malware on
a machine that installs on boot, such as a rootkit.
Background Activity Monitor (BAM) - answerThis key is used in conjunction with the
DAM key to record the path of the executable and the last date/time executed.
BagMRU - answerBased on the keys that are here, you can tell which directories were
opened/closed during a time period.
Bookmarks - answerCreated by the user and are shortcuts to websites that are
frequently visited or saved for later. They can also contain user account, URL, URL
parameters, page title, creation date, and last used date.
, Browser Forensics - answerHistory files, browser cache, and cookies make up the bulk
of browser artifacts. You can find the websites a user visited and how many times they
visited and when, saved websites, downloaded files, usernames, and what the user
searched for.
BSSID - answer(Basic Service Set ID) the MAC address of a base station, used to
identify it to host stations.
Compliance Search - answerPowershell cmdlet used for eDiscovery for nearly any kind
of search.
Connected Standby - answerIn Windows 8, systems with a SSD could take advantage
of this new low-power mode. Was expanded upon in Windows 10 with Modern Standby.
CurrentControlSet - answerIdentifies which control set is considered the Current one.
Contains system config settings needed to control system boot, like the driver and
service information. ControlSet001 is typically the set you just booted into the computer
with. It is usually the most up to date. ControlSet002 is the "Last Known Good" version,
if something drastic happened.
Custom Destinations - answerCreated by each application and there is custom.
Intended to present content that the application has deemed significant based on either
previous usage of the app or through an action that has indicated that an item is of
importance to the user.
Data Stream Carving - answerThe carving of small fragments of a file, not the whole file.
Fragments can be pulled from memory, unallocated space, and allocated database
files. Ex: URLs, chat sessions, emails, encryption keys,...
DEAD System - Memory Acquisition - answerYou can analysis the hiberfil.sys by
copying it from the root of the system drive. memory.dmp is a crash dump file that can
also be used if a full crash dump was taken. pagefile.sys is not a complete copy of
RAM, but can still provide parts of memory that were paged out to disk.
Desktop Activity Monitor (DAM) - answerUsed in conjunction with the BAM key to record
the path of the executable and the last date/time executed. The DAM is present on
system that have Connected Standby present.
DOMStore - answerThis is where Web Store files are stored in IE/Edge. Set up in a
similar fashion to cache. WebCacheV*.dat file manages the DOMStore filenames and
the owning sites. It includes creation and last access timestamps for Web Storage
artifacts.
Exchange Database (EDB) - answerContainer for user Microsoft Exchange mailboxes.
Stored in ESE format.
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller julianah420. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $20.49. You're not tied to anything after your purchase.
Can Stuvia be trusted?
4.6 stars on Google & Trustpilot (+1000 reviews)
80364 documents were sold in the last 30 days
Founded in 2010, the go-to place to buy study notes for 14 years now