In a finance fraud investigation where files on a bitmap image appear not saved, what should you examine next?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the Computer Hacking Forensic Investigator v11 exam. Study with flashcards and multiple choice questions. Each question includes hints and explanations. Get exam-ready efficiently!

Multiple Choice

In a finance fraud investigation where files on a bitmap image appear not saved, what should you examine next?

Explanation:
The key idea is that what’s in memory can survive on disk in a swap area, even if a file wasn’t saved. When a bitmap image is opened and edited but not saved, the program and the operating system keep portions of that image in RAM. If RAM becomes full or the system needs to free memory, those memory pages can be written to the swap file (in Windows, this is pagefile.sys). This means remnants of the unsaved bitmap data—headers, pixel data, or intermediate edits—may still exist in the swap file and can be recovered or reconstructed during an investigation. That makes examining the swap file the most promising next step for uncovering evidence of the image data. The other sources are less likely to contain the actual unsaved image content: the registry stores configuration and software details, not the file’s contents; the recycle bin holds files that were explicitly deleted, not unsaved work; metadata describes attributes or history of a file, not the raw data or unsaved edits.

The key idea is that what’s in memory can survive on disk in a swap area, even if a file wasn’t saved. When a bitmap image is opened and edited but not saved, the program and the operating system keep portions of that image in RAM. If RAM becomes full or the system needs to free memory, those memory pages can be written to the swap file (in Windows, this is pagefile.sys). This means remnants of the unsaved bitmap data—headers, pixel data, or intermediate edits—may still exist in the swap file and can be recovered or reconstructed during an investigation.

That makes examining the swap file the most promising next step for uncovering evidence of the image data. The other sources are less likely to contain the actual unsaved image content: the registry stores configuration and software details, not the file’s contents; the recycle bin holds files that were explicitly deleted, not unsaved work; metadata describes attributes or history of a file, not the raw data or unsaved edits.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy