On a FAT-based file system, what happens when a file is deleted?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the Computer Hacking Forensic Investigator v11 exam. Study with flashcards and multiple choice questions. Each question includes hints and explanations. Get exam-ready efficiently!

Multiple Choice

On a FAT-based file system, what happens when a file is deleted?

Explanation:
Deleting a file on a FAT file system is a metadata operation, not an immediate data wipe. When you delete, the system marks the directory entry as deleted and frees the clusters in the FAT, but the actual bytes that made up the file remain on disk until those sectors are overwritten by new data. Because the original data can still exist in those sectors, forensic tools can often recover the file by reconstructing the cluster chain and reassembling its contents. Only if the space is overwritten or a secure-delete process is used would recovery be unlikely. So, in standard FAT deletion, the data is typically recoverable, which is why the notion of it being erased and irrecoverable isn’t generally accurate.

Deleting a file on a FAT file system is a metadata operation, not an immediate data wipe. When you delete, the system marks the directory entry as deleted and frees the clusters in the FAT, but the actual bytes that made up the file remain on disk until those sectors are overwritten by new data. Because the original data can still exist in those sectors, forensic tools can often recover the file by reconstructing the cluster chain and reassembling its contents. Only if the space is overwritten or a secure-delete process is used would recovery be unlikely. So, in standard FAT deletion, the data is typically recoverable, which is why the notion of it being erased and irrecoverable isn’t generally accurate.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy