Exam 312-49v10 topic 1 question 549 discussion

A is correct (same issue as question 411) There is a mistake in the CHFI V10 book. In page 429 the example is wrong. Is is written that: "De7.doc is the eighth file". It is false it is the 7th. However the text in page 431 is correct. It is written that "Dxy.ext the "y" denotes the sequential number starting from one". I have resintalled an XP machine to check and I confirm that the sequence starts at 1. So "Dd5" means the fifth file deleted.

The INFO2 file format and its indexing scheme are not comprehensively documented by Microsoft. Most of the details on how deleted files are named and tracked in the INFO2 file stem from reverse-engineering efforts and third-party forensic references rather than direct Microsoft publications. THE CHFI book is not wrong. There are different answers depending upon windows version, which is why the OS version is part of the question. In Windows 9x (Windows 95/98/Me) systems, the INFO2 file used zero-based indexing, meaning that a number like "5" actually represented the sixth file deleted (index starting at 0). When Microsoft introduced the Windows NT-based family (such as Windows 2000 and Windows XP), the indexing changed to one-based, making "5" represent the fifth file deleted. In other words: Windows 9x family (95/98/Me): "Dd5.exe" = 6th file deleted (zero-based indexing) Windows 2000/XP (NT-based): "Dd5.exe" = 5th file deleted (one-based indexing)

Prior to Vista Drive starts with 0. The Sixth file D is the correct ans.

Page 429 "De7.doc = (File is deleted from E: drive, it is the “eighth” file received by recycle bin, and is a “doc” file)"

Agreed for @Adi_N, but the sequential number should be increased by "1" as per CHFI V10 book Also As per CHFI V10 book example : De7.doc : d drive, eighth file deleted, doc extension Another reference : https://jeffpar.github.io/kbarchive/kb/136/Q136517/

Prior to Windows Vista, a file in the Recycle Bin was stored in its physical location and renamed using the syntax: D<original drive letter of file><#>.<original extension> “D” denotes that a file has been deleted. In earlier versions of Windows, the deleted files were renamed by the OS using the following format: D<original drive letter of file><#>.<original extension> For example, in the case of a Dxy.ext file in the Recycled folder, “x” denotes the name of drive such as “C,” “D,” and others; “y” denotes the sequential number starting from one; and “ext” is the extension of the original file. So the answer should be A

Should be A

answer must be A for INFO 2 (dxy.ext where D means delete, x the drive letter and y y the file delete and the extension)

Assuming WindowsXP the right answer is A - Reference https://abelcheung.github.io/rifiuti2/assets/Forensics_Recycle_Bin.pdf