SC-200 Certification Practice Question #218

Question

You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR and contains a Windows device named Device1.

You investigate Device1 for malicious activity and discover a suspicious file named File1.exe. You collect an investigation package from Device1.

You need to review the following forensic data points:

•	Is an attacker currently accessing Device1 remotely?
•	When was File1.exe first executed?

Which folder in the investigation package should you review for each data point? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Accepted Answer

Both rows draw from the same dropdown of investigation-package folders. To detect whether an attacker is *currently* connected remotely, the **Network connections** folder is correct — its ActiveNetConnections.txt shows current TCP/IP connections and the folder is purpose-built to reveal remote connections, lateral movement, and C&C connectivity. To determine *when File1.exe was first executed*, the **Prefetch files** folder is correct — Windows writes a prefetch entry the first time an application runs, preserving a first-run timestamp. Both the Highly Voted (9 👍) and second comment (7 👍) agree and cite the same MS Learn page, which I confirmed verbatim. Confidence 93% — strong unanimous community agreement plus direct MS Learn confirmation, no dissent.

More SC-200 practice questions