Computer Hacking Forensic Investigator (CHFI v10) — Question 117

In the context of file deletion process, which of the following statement holds true?

Answer options

• A. When files are deleted, the data is overwritten and the cluster marked as available
• B. The longer a disk is in use, the less likely it is that deleted files will be overwritten
• C. While booting, the machine may create temporary files that can delete evidence
• D. Secure delete programs work by completely overwriting the file in one go

Correct answer: C

Explanation

The correct answer is C, as it accurately describes how temporary files created during boot can mask or erase evidence of deleted files. Option A is incorrect because deleted files are not necessarily overwritten immediately. Option B is misleading since the likelihood of overwriting deleted files increases with disk usage. Option D is inaccurate because secure delete programs often overwrite files multiple times rather than in a single operation.