Computer Hacking Forensic Investigator (CHFI) — Question 130

In a forensic examination of hard drives for digital evidence, what type of user is most likely to have the most file slack to analyze?

Answer options

• A. one who has NTFS 4 or 5 partitions
• B. one who uses dynamic swap file capability
• C. one who uses hard disk writes on IRQ 13 and 21
• D. one who has lots of allocation units per block or cluster

Correct answer: D

Explanation

The correct answer is D because having many allocation units per block or cluster results in more unused space, known as file slack, which can be analyzed for evidence. Options A, B, and C do not directly lead to increased file slack, making them less relevant in this context.