Computer Hacking Forensic Investigator (CHFI v10) — Question 588

When investigating a Windows System, it is important to view the contents of the page or swap file because:

Answer options

• A. Windows stores all of the systems configuration information in this file
• B. This is file that windows use to communicate directly with Registry
• C. A Large volume of data can exist within the swap file of which the computer user has no knowledge
• D. This is the file that windows use to store the history of the last 100 commands that were run from the command line

Correct answer: C

Explanation

The correct answer is C because the swap file can contain a large amount of data that may not be visible to the user, which can be critical for forensic investigations. Options A and B are incorrect as they misrepresent the purpose of the page or swap file. Option D is also incorrect as it inaccurately describes the function of the swap file.