In a Windows system, which statement best explains why the swap file is examined during forensics?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the Computer Hacking Forensic Investigator v11 exam. Study with flashcards and multiple choice questions. Each question includes hints and explanations. Get exam-ready efficiently!

Multiple Choice

In a Windows system, which statement best explains why the swap file is examined during forensics?

Explanation:
The swap file (pagefile.sys) is examined because it can hold a large volume of memory data that the user may be unaware still exists. When RAM runs low, Windows moves memory pages to disk to free up memory, and those pages can include fragments of documents, plaintext strings, passwords, browser data, and other artifacts from active programs. Because the swap file is not regularly cleared and can persist beyond what a user thinks was deleted, it becomes a valuable source of evidence for investigators. These other statements don’t fit: the swap file isn’t used to communicate with the Registry, and system configuration isn’t stored there—Registry data is kept in separate hive files. It also doesn’t serve as a dedicated history log of the last 100 commands run from the command line.

The swap file (pagefile.sys) is examined because it can hold a large volume of memory data that the user may be unaware still exists. When RAM runs low, Windows moves memory pages to disk to free up memory, and those pages can include fragments of documents, plaintext strings, passwords, browser data, and other artifacts from active programs. Because the swap file is not regularly cleared and can persist beyond what a user thinks was deleted, it becomes a valuable source of evidence for investigators.

These other statements don’t fit: the swap file isn’t used to communicate with the Registry, and system configuration isn’t stored there—Registry data is kept in separate hive files. It also doesn’t serve as a dedicated history log of the last 100 commands run from the command line.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy