Which file system metadata marks a deleted file in Windows 7?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Enhance your knowledge as a Computer Hacking Forensic Investigator with the CHFI v11 Test. Use flashcards and multiple-choice questions, complete with hints and detailed explanations, to prepare effectively and ace your exam!

Multiple Choice

Which file system metadata marks a deleted file in Windows 7?

Explanation:
In NTFS, the file’s metadata lives in the Master File Table (MFT). When you delete a file, Windows removes the directory entry and marks the corresponding MFT record as deleted. The actual data blocks aren’t immediately erased, so the content can sometimes be recovered until those blocks are overwritten. The Recycle Bin is a user-facing feature, not the underlying deletion flag, and simply removing a pointer to data wouldn’t reflect the actual NTFS deletion state. Therefore, the deletion is indicated by the MFT entry being marked as deleted.

In NTFS, the file’s metadata lives in the Master File Table (MFT). When you delete a file, Windows removes the directory entry and marks the corresponding MFT record as deleted. The actual data blocks aren’t immediately erased, so the content can sometimes be recovered until those blocks are overwritten. The Recycle Bin is a user-facing feature, not the underlying deletion flag, and simply removing a pointer to data wouldn’t reflect the actual NTFS deletion state. Therefore, the deletion is indicated by the MFT entry being marked as deleted.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy