Which Windows artifact specifically helps identify recently executed programs and their sequence on a host?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Study for the SANS Advanced Incident Response, Threat Hunting, and Digital Forensics (FOR508) Test. Prepare with comprehensive materials, flashcards, and multiple choice questions with hints and explanations. Ace your exam with confidence!

Multiple Choice

Which Windows artifact specifically helps identify recently executed programs and their sequence on a host?

Explanation:
Prefetch files are designed to capture how Windows starts programs, making them the most precise artifact for identifying what was executed recently and the order in which startup actions occurred. Each time a program runs, Windows creates or updates a corresponding prefetch file in the Windows\Prefetch folder. Those .pf files record the executable’s name, the last time it ran, and how many times it was launched, along with a list of files and resources the program accessed during startup in the sequence they were accessed. By inspecting these details across the set of prefetch files, you can determine not only which programs were executed recently but also the relative sequence of their launches, which is invaluable for mapping the execution timeline during an incident. Windows Event Logs can offer process creation events if auditing is enabled, but prefetch provides a direct, commonly available signal of recent executions and their startup order. The other artifacts listed don’t specifically tie to the exact sequence of recently executed programs in the same focused way.

Prefetch files are designed to capture how Windows starts programs, making them the most precise artifact for identifying what was executed recently and the order in which startup actions occurred. Each time a program runs, Windows creates or updates a corresponding prefetch file in the Windows\Prefetch folder. Those .pf files record the executable’s name, the last time it ran, and how many times it was launched, along with a list of files and resources the program accessed during startup in the sequence they were accessed. By inspecting these details across the set of prefetch files, you can determine not only which programs were executed recently but also the relative sequence of their launches, which is invaluable for mapping the execution timeline during an incident. Windows Event Logs can offer process creation events if auditing is enabled, but prefetch provides a direct, commonly available signal of recent executions and their startup order. The other artifacts listed don’t specifically tie to the exact sequence of recently executed programs in the same focused way.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy