John is working as a computer forensics investigator for a consulting firm in Canada. He is called to seize a computer at a local web caf purportedly used as a botnet server. John thoroughly scans the computer and finds nothing that would lead him to think the computer was a botnet server. John decides to scan the virtual memory of the computer to possibly find something he had missed. What information will the virtual memory scan produce?
Virtual memory, also known as swap space or page file, is used by the operating system to extend the physical memory and manage active processes. These hidden running processes may include malware or other malicious software that attempts to evade detection by residing in the virtual memory instead of the physical RAM. By scanning the virtual memory, John may uncover these hidden processes and obtain crucial information about activities that are not immediately visible in the physical memory.
The correct answer is D. Hidden running processes. Virtual memory (also known as page file or swap space) is a area on the hard drive where the operating system stores data that is currently not in physical RAM (Random Access Memory). When a computer runs low on physical RAM, the operating system moves inactive pages of memory to the virtual memory to free up physical RAM for other uses. By scanning the virtual memory, John may be able to find evidence of hidden running processes, such as malware or botnet software, that were not visible in the physical RAM. This is because the virtual memory may contain remnants of processes that were previously running but are now closed, or processes that are designed to evade detection by hiding in the virtual memory.