312-49 · Question #236
312-49 Question #236: Real Exam Question with Answer & Explanation
The correct answer is C: It can search slack space. Slack space is the unused space between the end of a file's actual data and the end of the last cluster allocated to that file. This area can contain remnants of previously deleted data and is a rich source of forensic evidence. The built-in Windows search cannot examine slack sp
Question
What advantage does the tool Evidor have over the built-in Windows search?
Options
- AIt can find deleted files even after they have been physically removed
- BIt can find bad sectors on the hard drive
- CIt can search slack space
- DIt can find files hidden within ADS
Explanation
Slack space is the unused space between the end of a file's actual data and the end of the last cluster allocated to that file. This area can contain remnants of previously deleted data and is a rich source of forensic evidence. The built-in Windows search cannot examine slack space because it operates through the file system layer. Evidor is a forensic search tool specifically designed to search slack space (as well as unallocated clusters and other areas outside normal file system boundaries), giving it a significant advantage over standard OS search utilities.
Topics
Community Discussion
No community discussion yet for this question.