Computer Hacking Forensic Investigator (CHFI v10) — Question 227

A forensics investigator is searching the hard drive of a computer for files that were recently moved to the Recycle Bin. He searches for files in C:\RECYCLED using a command line tool but does not find anything. What is the reason for this?

Answer options

• A. He should search in C:\Windows\System32\RECYCLED folder
• B. The Recycle Bin does not exist on the hard drive
• C. The files are hidden and he must use switch to view them
• D. Only FAT system contains RECYCLED folder and not NTFS

Correct answer: C

Explanation

The correct answer is C because files in the Recycle Bin can be hidden from standard view, requiring the use of specific command line switches to reveal them. Option A is incorrect because the correct path for the Recycle Bin is not C:\Windows\System32\RECYCLED, option B is false as the Recycle Bin does exist on the hard drive, and option D is misleading since NTFS also supports a similar mechanism for a Recycle Bin.