Computer Hacking Forensic Investigator (CHFI v10) — Question 551

Consider a scenario where the perpetrator of a dark web crime has uninstalled Tor browser from their computer after committing the crime. The computer has been seized by law enforcement so they can investigate it for artifacts of Tor browser usage. Which of the following should the investigators examine to establish the use of Tor browser on the suspect machine?

Answer options

• A. Swap files
• B. Security logs
• C. Files in Recycle Bin
• D. Prefetch files

Correct answer: D

Explanation

Investigators should focus on Prefetch files as they can contain remnants of the Tor browser's execution, including timestamps and paths. While Swap files may hold some data, they are less reliable for identifying specific application usage. Security logs and Recycle Bin files are not likely to provide accurate evidence of the Tor browser's prior activity.