When investigating a computer, you find many files whose first letter has been replaced by the hex code 5h. What does this indicate?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards

From $9.99Unlock all

Enhance your knowledge as a Computer Hacking Forensic Investigator with the CHFI v11 Test. Use flashcards and multiple-choice questions, complete with hints and detailed explanations, to prepare effectively and ace your exam!

Multiple Choice

When investigating a computer, you find many files whose first letter has been replaced by the hex code 5h. What does this indicate?

In FAT-based file systems, the directory entry for a file begins with the first letter of its name. When a file is deleted, that first byte is overwritten with a special marker (often shown in hex as E5h, which corresponds to the decimal 229). If you’re seeing many files where the first letter has been replaced by that hex code, it signals that those entries have been marked as deleted. The actual file data may still exist on disk and can sometimes be recovered until those clusters are overwritten.

This is different from a hidden or read-only flag, which would be indicated by file attributes rather than a deletion marker in the filename field. It’s also not necessarily a sign of corruption—the marker is a deliberate deletion indicator.

When investigating a computer, you find many files whose first letter has been replaced by the hex code 5h. What does this indicate?

Enhance your knowledge as a Computer Hacking Forensic Investigator with the CHFI v11 Test. Use flashcards and multiple-choice questions, complete with hints and detailed explanations, to prepare effectively and ace your exam!

When investigating a computer, you find many files whose first letter has been replaced by the hex code 5h. What does this indicate?

Get the latest from Examzify