Computer Hacking Forensic Investigator (CHFI v10) — Question 235

You have been asked to investigate the possibility of computer fraud in the finance department of a company. It is suspected that a staff member has been committing finance fraud by printing cheques that have not been authorized. You have exhaustively searched all data files on a bitmap image of the target computer, but have found no evidence. You suspect the files may not have been saved. What should you examine next in this case?

Answer options

• A. The registry
• B. The swap file
• C. The recycle bin
• D. The metadata

Correct answer: B

Explanation

The correct answer is B, the swap file, because it can contain data that was not saved to the disk, including unsaved documents. The registry (A) is mainly used for configuration settings, the recycle bin (C) holds deleted files which may not include unsaved work, and metadata (D) doesn't directly help in recovering unsaved files.