100% satisfaction guarantee Immediately available after payment Both online and in PDF No strings attached
logo-home
SANS 500 Questions And Answers With Latest Updates $11.99   Add to cart

Exam (elaborations)

SANS 500 Questions And Answers With Latest Updates

 2 views  0 purchase
  • Course
  • SANS 500
  • Institution
  • SANS 500

SANS 500 Questions And Answers With Latest Updates Why is it important to collect volatile data during incident response ANS Information could be lost if the system is powered off or rebooted You are responding to an incident. The suspect was using his Windows Desktop Computer with Firefox and...

[Show more]

Preview 2 out of 7  pages

  • November 7, 2024
  • 7
  • 2024/2025
  • Exam (elaborations)
  • Questions & answers
  • sans 500
  • SANS 500
  • SANS 500
avatar-seller
Labtech
SANS 500 Questions And Answers With Latest
Updates
Why is it important to collect volatile data during incident response ANS Information could be
lost if the system is powered off or rebooted


You are responding to an incident. The suspect was using his Windows Desktop Computer with
Firefox and "Private Browsing" enabled. The attack was interrupted when it was detected, and the
browser windows are still open. What can you do to capture the most in-depth data from the suspect's
browser session ANS Collect the contents of the computer's RAM



How is a user mapped to contents of the recycle bin? ANS SID



How does PhotRec Recover deleted files from a host? ANS Searches free space looking for file
signatures that match specific file types


You are responding to an incident in progress on a workstation, Why is it important to check the
presence of encryption on the suspect workstation before turning it off? ANS Data on mounted
volumes and decryption keys stored as volatile data may be lost



How can cookies.sqlite linked to a specific user account ANS The DB file is stored in the
corresponding profile folder


You are reviewing the contents of a Windows shortcut [.Ink file] pointing to C:\SANS.JPG. Which of
the following metadata can you expect to find? ANS The last access time of C:\SANS.JPG


Which of the following must you remember when reviewing Windows registry data in your timeline
ANS Registry keys store only a 'LastWrite' time stamp and do not indicate when they were
created, accessed or deleted


What information can be deduced by the following artifact?
System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces ANS If an interface GUID was
used to connect to the internet over 3G

, Which part of the LNK file reveals the shell path to the target file ANS PIDL - The PIDL section
of a LNK file, follow the header, it contains a shell path (a PIDL0 to the target file



In addition to the Web Notes Folder, which location contains Web Notes browser artifacts? ANS
Spartan.edb



Which event will create a new directory in C:\System Volume Information\? ANS Software
installation. There are several ways to create a new volume shadow copy - Software installation,
System snapshot, Manual snapshot


You are examining an image of a Windows system. In the C:\Windows\Prefetch directory you find an
entry for "EvilBin.Exe". Assuming the file was legitimately created by the operating system, what
does this file's existence mean to you, as the forensic investigator? ANS EvilBin.Exe has been
run at least once on this system



What does the unique GUID assigned to each sub-key of the UserAssist registry entry represent?
ANS Method used to execute and application


Which is the advantage offered by server-based e-mail forensic tools when compared to standard
forensic suites? ANS They allow simultaneous searches across multiple user accounts


Which Windows 7 event log records installation and update information for Windows security
updates and patches ANS Setup.log records installation and update information on all
applications


You are participating in an e-mail investigation for a company using Microsoft Exchange with
Outlook clients. Which of the following would reduce the results returned in a keyword search of a
user's mailbox? ANS The organization's email clients have S/MIME support enabled


Network logs show that Bob accessed \\10.10.23.47\Financial\Salary two weeks past. Bob claims he
never intentionally went to the network share, that he must've clicked on a link that mapped to that
location. Which registry key on Bob's host will show if he knew the network location of the salary
folder? ANS TypePaths

The benefits of buying summaries with Stuvia:

Guaranteed quality through customer reviews

Guaranteed quality through customer reviews

Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.

Quick and easy check-out

Quick and easy check-out

You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.

Focus on what matters

Focus on what matters

Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!

Frequently asked questions

What do I get when I buy this document?

You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.

Satisfaction guarantee: how does it work?

Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.

Who am I buying these notes from?

Stuvia is a marketplace, so you are not buying this document from us, but from seller Labtech. Stuvia facilitates payment to the seller.

Will I be stuck with a subscription?

No, you only buy these notes for $11.99. You're not tied to anything after your purchase.

Can Stuvia be trusted?

4.6 stars on Google & Trustpilot (+1000 reviews)

67866 documents were sold in the last 30 days

Founded in 2010, the go-to place to buy study notes for 14 years now

Start selling
$11.99
  • (0)
  Add to cart