312-49 · Question #185
312-49 Question #185: Real Exam Question with Answer & Explanation
The correct answer is B: The swapfile. The swapfile (also known as the page file or virtual memory file, e.g., pagefile.sys on Windows) is used by the OS to temporarily store data from RAM when physical memory is insufficient. If a user opened and printed a document without ever saving it to disk, remnants of that doc
Question
You have been asked to investigate the possibility of computer fraud in the finance department of a company. It is suspected that a staff member has been committing finance fraud by printing cheques that have not been authorized. You have exhaustively searched all data files on a bitmap image of the target computer, but have found no evidence. You suspect the files may not have been saved. What should you examine next in this case?
Options
- AThe registry
- BThe swapfile
- CThe recycle bin
- DThe metadata
Explanation
The swapfile (also known as the page file or virtual memory file, e.g., pagefile.sys on Windows) is used by the OS to temporarily store data from RAM when physical memory is insufficient. If a user opened and printed a document without ever saving it to disk, remnants of that document may still exist in the swapfile because the OS may have paged that memory to disk during the session. This makes the swapfile a critical artifact to examine when no saved files are found. The registry stores configuration data, the recycle bin holds deleted files, and metadata describes file attributes — none would contain unsaved document content.
Topics
Community Discussion
No community discussion yet for this question.