Computer Hacking Forensic Investigator (CHFI v10) — Question 131

While searching through a computer under investigation, you discover numerous files that appear to have had the first letter of the file name replaced by the hex code byte 5h. What does this indicate on the computer?

Answer options

• A. The files have been marked as hidden
• B. The files have been marked for deletion
• C. The files are corrupt and cannot be recovered
• D. The files have been marked as read-only

Correct answer: B

Explanation

The presence of the hex code byte 5h at the beginning of a file name signifies that the file has been marked for deletion in many file systems. The other options do not accurately reflect the specific indication that a file has been flagged for deletion, as hidden, corrupt, and read-only statuses represent different attributes and behaviors of files.