312-49 Question #280: Real Exam Question with Answer & Explanation

The correct answer is A: Recycle Bin. When Windows boots, it automatically writes data to several locations on the disk, including the Recycle Bin (updating its metadata and index files). This modifies the disk contents and can overwrite or corrupt forensic evidence, making the evidence inadmissible or unreliable in

Submitted by dimitri_ru· Apr 18, 2026Disk Forensics

Question

When examining a hard disk without a write-blocker, you should not start windows because Windows will write data to the:

Options

ARecycle Bin
BMSDOS.sys
CBIOS
DCase files

Explanation

When Windows boots, it automatically writes data to several locations on the disk, including the Recycle Bin (updating its metadata and index files). This modifies the disk contents and can overwrite or corrupt forensic evidence, making the evidence inadmissible or unreliable in court. A write-blocker is a hardware or software tool that prevents any writes to the evidence drive, preserving its original state. This is why forensic investigators always use write-blockers or work from forensic images rather than booting the original drive.

Topics

#Write Blocker#Evidence Integrity#Operating System Artifacts#Disk Acquisition

Community Discussion

No community discussion yet for this question.

Full 312-49 Practice Browse All 312-49 Questions