312-49 Question #304: Real Exam Question with Answer & Explanation

The correct answer is B: The files have been marked for deletion. In FAT (File Allocation Table) file systems, when a file is deleted, the operating system replaces the first byte of the file's directory entry with the hex value 0xE5 (often referenced as E5h). This signals to the OS that the directory slot is available for reuse, but the actual

Submitted by valeria.br· Apr 18, 2026Disk Forensics

Question

While searching through a computer under investigation, you discover numerous files that appear to have had the first letter of the file name replaced by the hex code byte 5h. What does this indicate on the computer?

Options

AThe files have been marked as hidden
BThe files have been marked for deletion
CThe files are corrupt and cannot be recovered
DThe files have been marked as read-only

Explanation

In FAT (File Allocation Table) file systems, when a file is deleted, the operating system replaces the first byte of the file's directory entry with the hex value 0xE5 (often referenced as E5h). This signals to the OS that the directory slot is available for reuse, but the actual file data may still be recoverable on disk. Forensic tools can detect this marker and recover the files. This is a key concept in file system forensics â€” deleted files are not immediately wiped, just marked as available space.

Topics

#File system artifacts#File deletion#FAT file system#Data recovery

Community Discussion

No community discussion yet for this question.

Full 312-49 Practice Browse All 312-49 Questions