When collecting evidence from the RAM, where do you look for data?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards

From $9.99Unlock all

Enhance your knowledge as a Computer Hacking Forensic Investigator with the CHFI v11 Test. Use flashcards and multiple-choice questions, complete with hints and detailed explanations, to prepare effectively and ace your exam!

Multiple Choice

When collecting evidence from the RAM, where do you look for data?

When collecting evidence from RAM, you’re after data that was resident in volatile memory. If the system uses virtual memory, pages from RAM can be moved to disk in a swap file to free physical memory. Those swapped-out pages may still contain useful RAM-resident artifacts—strings, remnants of processes, or memory structures—that you can recover by examining the swap file. On Windows this is typically pagefile.sys, and Linux uses a swap area/file. So the swap file is the most likely place to find data that originated in RAM after it was paged out.

The other options aren’t sources of RAM contents: the SAM file stores user account information, not RAM data; a generic data file isn’t specifically tied to memory artifacts; and a log file records events rather than actual memory pages.

When collecting evidence from the RAM, where do you look for data?

Enhance your knowledge as a Computer Hacking Forensic Investigator with the CHFI v11 Test. Use flashcards and multiple-choice questions, complete with hints and detailed explanations, to prepare effectively and ace your exam!

When collecting evidence from the RAM, where do you look for data?

Get the latest from Examzify