In a Windows system, which statement best explains why the swap file is examined during forensics?

• A. A Large volume of data can exist within the swap file of which the computer user has no knowledge
• B. This is file that windows use to communicate directly with Registry
• C. Windows stores all of the systems configuration information in this file
• D. This is the file that Windows use to store the history of the last 100 commands that were run from the command line

Answer: (A)

The swap file (pagefile.sys) is examined because it can hold a large volume of memory data that the user may be unaware still exists. When RAM runs low, Windows moves memory pages to disk to free up memory, and those pages can include fragments of documents, plaintext strings, passwords, browser data, and other artifacts from active programs. Because the swap file is not regularly cleared and can persist beyond what a user thinks was deleted, it becomes a valuable source of evidence for investigators.

These other statements don’t fit: the swap file isn’t used to communicate with the Registry, and system configuration isn’t stored there—Registry data is kept in separate hive files. It also doesn’t serve as a dedicated history log of the last 100 commands run from the command line.