Name three common Windows artifacts useful for reconstructing execution and persistence.

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Study for the SANS Advanced Incident Response, Threat Hunting, and Digital Forensics (FOR508) Test. Prepare with comprehensive materials, flashcards, and multiple choice questions with hints and explanations. Ace your exam with confidence!

Multiple Choice

Name three common Windows artifacts useful for reconstructing execution and persistence.

Explanation:
Reconstructing how an attacker executed on a Windows host and established persistence relies on traces that show what ran, when it ran, and what system state changed as a result. Prefetch files reveal which executables were launched, when they were last run, and how often they were executed, providing a concrete link to execution events and helping sequence actions. The USN Change Journal logs file system changes on NTFS volumes, so you can see which files were created, modified, or deleted and when, which often corresponds to payload deployment, dropper activity, or persistence-related file moves. Windows Event Logs capture a broad set of system and security events, including logon activity, service creations, and scheduled tasks, giving a timeline of user and process actions. If Sysmon is installed, the data becomes even more powerful: detailed process creation events, network connections, registry changes, and file creation events provide granular, machine-readable evidence of execution, network activity, and persistence techniques. Together, these Windows artifacts form a strong foundation for reconstructing how code ran on the host and how persistence was achieved, which is why they’re considered three common Windows artifacts for this purpose. The other options point to non-Windows platforms or to memory-focused artifacts; while memory dumps and pagefiles can be useful, they don’t provide the same direct, cross-cutting view of what ran and what changed on Windows as Prefetch, the USN Change Journal, and Windows Event Logs (augmented by Sysmon).

Reconstructing how an attacker executed on a Windows host and established persistence relies on traces that show what ran, when it ran, and what system state changed as a result. Prefetch files reveal which executables were launched, when they were last run, and how often they were executed, providing a concrete link to execution events and helping sequence actions. The USN Change Journal logs file system changes on NTFS volumes, so you can see which files were created, modified, or deleted and when, which often corresponds to payload deployment, dropper activity, or persistence-related file moves. Windows Event Logs capture a broad set of system and security events, including logon activity, service creations, and scheduled tasks, giving a timeline of user and process actions. If Sysmon is installed, the data becomes even more powerful: detailed process creation events, network connections, registry changes, and file creation events provide granular, machine-readable evidence of execution, network activity, and persistence techniques.

Together, these Windows artifacts form a strong foundation for reconstructing how code ran on the host and how persistence was achieved, which is why they’re considered three common Windows artifacts for this purpose. The other options point to non-Windows platforms or to memory-focused artifacts; while memory dumps and pagefiles can be useful, they don’t provide the same direct, cross-cutting view of what ran and what changed on Windows as Prefetch, the USN Change Journal, and Windows Event Logs (augmented by Sysmon).

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy