What happens when a file is deleted in Windows 7?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Enhance your knowledge as a Computer Hacking Forensic Investigator with the CHFI v11 Test. Use flashcards and multiple-choice questions, complete with hints and detailed explanations, to prepare effectively and ace your exam!

Multiple Choice

What happens when a file is deleted in Windows 7?

Explanation:
When Windows 7 deletes a file, it uses the NTFS filesystem behavior: the file’s record in the Master File Table (MFT) is marked as no longer in use and given a deleted-indicator, rather than immediately wiping the data off the disk. The MFT entry is flagged as deleted, and the directory entry that pointed to the file is detached. The actual file data clusters on the disk aren’t erased right away; they’re simply marked as free space and can be overwritten later as new data is written. This is why deleted files can sometimes be recovered with forensic tools until the space is reused. The other options don’t fit NTFS behavior. The 0xE5 marker belongs to FAT directory entries, not NTFS. The FAT table concept isn’t how NTFS tracks deletions. And deleting isn’t an immediate data erasure—the data remains until overwritten, which is why deletion isn’t a secure erase by default.

When Windows 7 deletes a file, it uses the NTFS filesystem behavior: the file’s record in the Master File Table (MFT) is marked as no longer in use and given a deleted-indicator, rather than immediately wiping the data off the disk. The MFT entry is flagged as deleted, and the directory entry that pointed to the file is detached. The actual file data clusters on the disk aren’t erased right away; they’re simply marked as free space and can be overwritten later as new data is written. This is why deleted files can sometimes be recovered with forensic tools until the space is reused.

The other options don’t fit NTFS behavior. The 0xE5 marker belongs to FAT directory entries, not NTFS. The FAT table concept isn’t how NTFS tracks deletions. And deleting isn’t an immediate data erasure—the data remains until overwritten, which is why deletion isn’t a secure erase by default.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy