Exam 312-49v10 topic 1 question 549 discussion

A is correct (same issue as question 411) There is a mistake in the CHFI V10 book. In page 429 the example is wrong. Is is written that: "De7.doc is the eighth file". It is false it is the 7th. However the text in page 431 is correct. It is written that "Dxy.ext the "y" denotes the sequential number starting from one". I have resintalled an XP machine to check and I confirm that the sequence starts at 1. So "Dd5" means the fifth file deleted.

Prior to Vista Drive starts with 0. The Sixth file D is the correct ans.

Page 429 "De7.doc = (File is deleted from E: drive, it is the “eighth” file received by recycle bin, and is a “doc” file)"

Agreed for @Adi_N, but the sequential number should be increased by "1" as per CHFI V10 book Also As per CHFI V10 book example : De7.doc : d drive, eighth file deleted, doc extension Another reference : https://jeffpar.github.io/kbarchive/kb/136/Q136517/

Prior to Windows Vista, a file in the Recycle Bin was stored in its physical location and renamed using the syntax: D<original drive letter of file><#>.<original extension> “D” denotes that a file has been deleted. In earlier versions of Windows, the deleted files were renamed by the OS using the following format: D<original drive letter of file><#>.<original extension> For example, in the case of a Dxy.ext file in the Recycled folder, “x” denotes the name of drive such as “C,” “D,” and others; “y” denotes the sequential number starting from one; and “ext” is the extension of the original file. So the answer should be A

Should be A

answer must be A for INFO 2 (dxy.ext where D means delete, x the drive letter and y y the file delete and the extension)

Assuming WindowsXP the right answer is A - Reference https://abelcheung.github.io/rifiuti2/assets/Forensics_Recycle_Bin.pdf