Computer Hacking Forensic Investigator (CHFI) — Question 92

A forensics investigator is searching the hard drive of a computer for files that were recently moved to the Recycle Bin. He searches for files in C:\RECYCLED using a command line tool but does not find anything. What is the reason for this?

Answer options

• A. He should search in C:\Windows\System32\RECYCLED folder
• B. The Recycle Bin does not exist on the hard drive
• C. The files are hidden and he must use switch to view them
• D. Only FAT system contains RECYCLED folder and not NTFS

Correct answer: C

Explanation

The correct answer is C because files in the Recycle Bin can be hidden from standard views, and a specific command-line switch is needed to display them. Option A is incorrect as the correct path for the Recycle Bin is not C:\Windows\System32\RECYCLED. Option B is wrong since the Recycle Bin exists on NTFS, and option D is misleading because NTFS systems also have a hidden Recycle Bin but under a different structure.