Computer Hacking Forensic Investigator (CHFI v10) — Question 147

Ivanovich, a forensics investigator, is trying to extract complete information about running processes from a system. Where should he look apart from the RAM and virtual memory?

Answer options

• A. Swap space
• B. Application data
• C. Files and documents
• D. Slack space

Correct answer: A

Explanation

The correct answer is A, Swap space, because it serves as an overflow area for memory, potentially containing information about running processes. The other options, such as Application data, Files and documents, and Slack space, do not typically provide direct insights into the current state of running processes.