U.S. Independence Day Deal! Unlock 25% OFF Today – Limited-Time Offer - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Eccouncil 312-49v11 Exam - Topic 10 Question 2 Discussion

During a forensic investigation of a compromised Windows system, Investigator Sarah is tasked with extracting artifacts related to the system's pagefile.sys. She needs to navigate through the registry to locate this specific information. Which of the following registry paths should Sarah examine to extract pagefile.sys artifacts from the system?
D) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
A) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
B) HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Windows
C) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName

Eccouncil 312-49v11 Exam - Topic 10 Question 2 Discussion

Actual exam question for Eccouncil's 312-49v11 exam
Question #: 2
Topic #: 10
[All 312-49v11 Questions]

During a forensic investigation of a compromised Windows system, Investigator Sarah is tasked with extracting artifacts related to the system's pagefile.sys. She needs to navigate through the registry to locate this specific information. Which of the following registry paths should Sarah examine to extract pagefile.sys artifacts from the system?

Show Suggested Answer Hide Answer
Suggested Answer: D

According to the CHFI v11 Operating System Forensics module, the Windows pagefile.sys is a critical forensic artifact because it serves as virtual memory and may contain remnants of sensitive data such as credentials, command history, decrypted content, fragments of documents, and even portions of malicious code that were previously resident in RAM. As a result, understanding where pagefile-related configuration data is stored in the Windows Registry is essential for forensic investigators.

The registry path

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerMemory Management

is the correct location where Windows stores configuration values related to virtual memory management, including the PagingFiles value. This value specifies the location, size, and behavior of the pagefile.sys on the system. CHFI v11 explicitly references this registry key when discussing memory artifacts, virtual memory analysis, and Windows memory forensics.

The other options are not relevant to pagefile analysis. The CurrentVersion key stores OS version details, ControlSet001ControlWindows contains general system control settings, and ActiveComputerName only identifies the system hostname. None of these paths contain pagefile configuration data.

Therefore, to extract and validate artifacts related to pagefile.sys, Investigator Sarah must examine

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerMemory Management, making Option D the correct and CHFI v11--verified answer.


Contribute your Thoughts:

0/2000 characters
Lemuel
9 hours ago
Nah, I think B could have some relevant info too.
upvoted 0 times
...
Ilona
2 months ago
Isn't it surprising how many people overlook the registry for this?
upvoted 0 times
...
Dulce
2 months ago
I thought it was A at first, but D makes more sense.
upvoted 0 times
...
Jeff
2 months ago
Definitely check D, that's where the pagefile settings are!
upvoted 0 times
...
Melvin
2 months ago
Not sure if that's the right path, but it sounds plausible.
upvoted 0 times
...
Helga
2 months ago
Surprised that people overlook the Memory Management path!
upvoted 0 times
...
Kirk
2 months ago
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Windows seems off for this.
upvoted 0 times
...
Lelia
3 months ago
I thought it was in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion?
upvoted 0 times
...
Matt
3 months ago
Definitely check HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management for pagefile info.
upvoted 0 times
...
Corinne
3 months ago
I recall that pagefile.sys is tied to memory management, so D makes sense, but I wonder if A might have some related info as well.
upvoted 0 times
...
Tom
3 months ago
I practiced a similar question where we had to find system artifacts in the registry. I feel like D is the right choice, but I could be mixing it up with another topic.
upvoted 0 times
...
Truman
3 months ago
I'm not entirely sure, but I remember something about the ControlSet paths being important for system settings. Maybe B could be relevant too?
upvoted 0 times
...
Romana
3 months ago
I think the pagefile information is usually found in the Memory Management section, so I would lean towards option D.
upvoted 0 times
...

Save Cancel