312-49 · Question #235
312-49 Question #235: Real Exam Question with Answer & Explanation
The correct answer is C: While booting, the machine may create temporary files that can delete evidence. When a file is deleted in most operating systems, only the reference (directory entry/MFT record) is removed and the clusters are marked as available — the actual data remains until overwritten. This means the longer a disk is in use, the MORE likely data will be overwritten (n
Question
In the context of file deletion process, which of the following statement holds true?
Options
- AWhen files are deleted, the data is overwritten and the cluster marked as available
- BThe longer a disk is in use, the less likely it is that deleted files will be overwritten
- CWhile booting, the machine may create temporary files that can delete evidence
- DSecure delete programs work by completely overwriting the file in one go
Explanation
When a file is deleted in most operating systems, only the reference (directory entry/MFT record) is removed and the clusters are marked as available — the actual data remains until overwritten. This means the longer a disk is in use, the MORE likely data will be overwritten (not less). Secure delete programs typically perform multiple overwrite passes, not just one. The correct true statement is option C: during the boot process, the OS may create or modify temporary files (e.g., swap files, logs), which can potentially overwrite disk areas that contain forensic evidence.
Topics
Community Discussion
No community discussion yet for this question.