Computer Hacking Forensic Investigator (CHFI v10) — Question 525

Jason discovered a file named $RIYG6VR.doc in the C:\$Recycle.Bin\<USER SID>\ while analyzing a hard disk image for the deleted data. What inferences can he make from the file name?

Answer options

• A. It is a doc file deleted in seventh sequential order
• B. RIYG6VR.doc is the name of the doc file deleted from the system
• C. It is file deleted from R drive
• D. It is a deleted doc file

Correct answer: D

Explanation

The correct answer is D, as it accurately describes the file as a deleted document. Options A and C make assumptions about the deletion sequence and the specific drive, which cannot be inferred solely from the file name. Option B incorrectly suggests that the name itself indicates it was deleted from the system, without confirming its status as deleted.