ExamTopics Logo
Mail Us[email protected]
Menu
Eccouncil Discussions
exam questions

Exam 312-49v10 All Questions

View all questions & answers for the 312-49v10 exam
Go to Exam

Exam 312-49v10 topic 1 question 611 discussion

Actual exam question from ECCouncil's 312-49v10
Question #: 611
Topic #: 1
[All 312-49v10 Questions]

Consider a scenario where the perpetrator of a dark web crime has uninstalled Tor browser from their computer after committing the crime. The computer has been seized by law enforcement so they can investigate it for artifacts of Tor browser usage. Which of the following should the investigators examine to establish the use of Tor browser on the suspect machine?

  • A. Swap files
  • B. Security logs
  • C. Files in Recycle Bin
  • D. Prefetch files
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by aqeel1506 at July 21, 2024, 5:26 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
044f354
1 week, 1 day ago
Selected Answer: D
D. Prefetch files --BUT-- Prefetch is DISABLED BY DEFAULT on SSD-based systems. Prefetch files exist as a function of the delays of spinning disks. The "most correct" answer shifts based on reality implied in the question. If you see "On a Windows 11 system" or "modern laptop" the implication is an SSD is present. Then between: (A) Swap file — On SSDs where Prefetch may be absent, swap files could contain residual evidence. (D) Prefetch — likely not present Choose A, because D loses viability under SSD assumptions. Always weigh technical accuracy + scenario realism. EVERY WORD MATTERS Questions often force best-available-answer decisions based on subtle context. Real-world forensics knowledge (like SSD presence and behavior) is implicitly tested. ----- If you agree: UPVOTE this post to add your vote to the community tally. If you disagree: discuss with citations Both actions crowdsource best answers.
upvoted 1 times
044f354
1 week, 1 day ago
For clarity: Prefetch files are specifically created to track application execution, including timestamps and file paths. This makes them a valuable artifact for showing prior use of Tor browser, even if the browser was uninstalled. Prefetch is a performance-enhancing feature in Windows (from XP to Windows 10/11) that stores metadata about application executions. This helps the OS preload data for faster app launches. Example: C:\Windows\Prefetch\TORBROWSER.EXE-3A5F5B7C.pf Remnants remain even if the app itself is uninstalled (unless the prefetch folder is cleaned). Key Forensic Details Stored: Name of the executed file Full path of the executable Last execution timestamp Number of times the executable was run Associated DLLs loaded during execution
upvoted 1 times
...
...
aqeel1506
8 months, 2 weeks ago
A. Swap files Swap files (or page files) can contain remnants of data from applications that were recently used, including Tor browser. Even if the Tor browser has been uninstalled, its artifacts might still be present in the swap files, which can provide evidence of its previous usage. Other options, such as security logs, files in the Recycle Bin, or prefetch files, might not provide as direct evidence of Tor browser activity as the swap files can.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago