When investigating a Windows System, it is important to view the contents of the page or swap file because:

A state department site was recently attacked and all the servers had their disks erased. The incident response
team sealed the area and commenced investigation. During evidence collection they came across a zip disks
that did not have the standard labeling on it. The incident team ran the disk on an isolated system and found
that the system disk was accidentally erased. They decided to call in the FBI for further investigation.
Meanwhile, they short listed possible suspects including three summer interns. Where did the incident team go
wrong?

Which of the following refers to the data that might still exist in a cluster even though the original file has been
overwritten by another file?

What should you do when approached by a reporter about a case that you are working on or have worked on?

This is original file structure database that Microsoft originally designed for floppy disks. It is written to the
outermost track of a disk and contains information about each file stored on the drive.

You are working in the security Department of law firm. One of the attorneys asks you about the topic of
sending fake email because he has a client who has been charged with doing just that. His client alleges that
he is innocent and that there is no way for a fake email to actually be sent. You inform the attorney that his
client is mistaken and that fake email is possibility and that you can prove it. You return to your desk and craft afake email to the attorney that appears to come from his boss. What port do you send the email to on the
company SMTP server?

Volatile Memory is one of the leading problems for forensics. Worms such as code Red are memory resident
and do write themselves to the hard drive, if you turn the system off they disappear. In a lab environment,
which of the following options would you suggest as the most appropriate to overcome the problem of
capturing volatile memory?

When reviewing web logs, you see an entry for resource not found in the HTTP status code filed.
What is the actual error code that you would see in the log for resource not found?

You are called in to assist the police in an investigation involving a suspected drug dealer. The suspects house
was searched by the police after a warrant was obtained and they located a floppy disk in the suspects
bedroom. The disk contains several files, but they appear to be password protected. What are two common
methods used by password cracking software that you can use to obtain the password?

When examining a hard disk without a write-blocker, you should not start windows because Windows will write
data to the: