Computer Hacking Forensic Investigator (CHFI v10) — Question 53

Consider that you are investigating a machine running an Windows OS released prior to Windows Vista. You are trying to gather information about the deleted files by examining the master database file named INFO2 located at C:\Recycler\<USER SID>\. You read an entry named "Dd5.exe". What does Dd5.exe mean?

Answer options

• A. D drive. fifth file deleted, a .exe file
• B. D drive, fourth file restored, a .exe file
• C. D drive, fourth file deleted, a .exe file
• D. D drive, sixth file deleted, a .exe file

Correct answer: A

Explanation

The correct answer is A, which indicates that 'Dd5.exe' refers to the fifth file that was deleted from the D drive. The other options are incorrect because they either misidentify the number of the file or its status (restored instead of deleted).