312-49 · Question #373
312-49 Question #373: Real Exam Question with Answer & Explanation
The correct answer is C: A Large volume of data can exist within the swap file of which the computer user has no. The Windows page file (pagefile.sys) is used by the OS to extend physical RAM by swapping memory contents to disk. Forensically, this is critical because the page file can contain remnants of processes, passwords, encryption keys, chat logs, documents, and other sensitive data th
Question
When investigating a Windows System, it is important to view the contents of the page or swap file because:
Options
- AWindows stores all of the systems configuration information in this file
- BThis is file that windows use to communicate directly with Registry
- CA Large volume of data can exist within the swap file of which the computer user has no
- DThis is the file that windows use to store the history of the last 100 commands that were run from
Explanation
The Windows page file (pagefile.sys) is used by the OS to extend physical RAM by swapping memory contents to disk. Forensically, this is critical because the page file can contain remnants of processes, passwords, encryption keys, chat logs, documents, and other sensitive data that was in RAM — all without the user's knowledge or ability to easily delete it. Unlike RAM, the page file persists after shutdown. Investigators routinely examine it to recover volatile data artifacts. The page file is not a system configuration store, registry interface, or command history file.
Topics
Community Discussion
No community discussion yet for this question.