Which marker is placed in the first byte of a FAT directory entry to indicate that a file has been deleted?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Enhance your knowledge as a Computer Hacking Forensic Investigator with the CHFI v11 Test. Use flashcards and multiple-choice questions, complete with hints and detailed explanations, to prepare effectively and ace your exam!

Multiple Choice

Which marker is placed in the first byte of a FAT directory entry to indicate that a file has been deleted?

Explanation:
In FAT directory entries, a deletion is signaled by a flag in the first byte of the entry. When a file is deleted, that first byte is replaced with 0xE5, marking the entry as deleted while leaving the rest of the entry’s data intact for possible recovery. This is why forensic analysis can often recover the filename and other details even after deletion, unless those bytes have been overwritten. The alternative 0x00 indicates a free (unused) directory entry, not a deleted one. The other values aren’t standard markers for deletion in FAT directory entries.

In FAT directory entries, a deletion is signaled by a flag in the first byte of the entry. When a file is deleted, that first byte is replaced with 0xE5, marking the entry as deleted while leaving the rest of the entry’s data intact for possible recovery. This is why forensic analysis can often recover the filename and other details even after deletion, unless those bytes have been overwritten. The alternative 0x00 indicates a free (unused) directory entry, not a deleted one. The other values aren’t standard markers for deletion in FAT directory entries.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy