Which file system metadata marks a deleted file in Windows 7?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the Computer Hacking Forensic Investigator v11 exam. Study with flashcards and multiple choice questions. Each question includes hints and explanations. Get exam-ready efficiently!

Multiple Choice

Which file system metadata marks a deleted file in Windows 7?

Explanation:
In NTFS, the file’s metadata lives in the Master File Table (MFT). When you delete a file, Windows removes the directory entry and marks the corresponding MFT record as deleted. The actual data blocks aren’t immediately erased, so the content can sometimes be recovered until those blocks are overwritten. The Recycle Bin is a user-facing feature, not the underlying deletion flag, and simply removing a pointer to data wouldn’t reflect the actual NTFS deletion state. Therefore, the deletion is indicated by the MFT entry being marked as deleted.

In NTFS, the file’s metadata lives in the Master File Table (MFT). When you delete a file, Windows removes the directory entry and marks the corresponding MFT record as deleted. The actual data blocks aren’t immediately erased, so the content can sometimes be recovered until those blocks are overwritten. The Recycle Bin is a user-facing feature, not the underlying deletion flag, and simply removing a pointer to data wouldn’t reflect the actual NTFS deletion state. Therefore, the deletion is indicated by the MFT entry being marked as deleted.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy