Jason discovered a file named $RIYG6VR.doc in the C:\$Recycle.Bin\ \ while analyzing a hard disk image for the deleted data. What inferences can he make from the file name?

A. It is a doc file deleted in seventh sequential order

B. RIYG6VR.doc is the name of the doc file deleted from the system

C. It is file deleted from R drive

EC-CouncilEC-Council

312-49 · Question #528

312-49 Question #528: Real Exam Question with Answer & Explanation

The correct answer is D: It is a deleted doc file. In Windows Vista and later, when a file is deleted it is moved to $Recycle.Bin and renamed using a two-file system. The $R prefix (e.g., $RIYG6VR.doc) stores the actual content of the deleted file with a randomly generated alphanumeric string and the original file extension prese

Submitted by tyler.j· Apr 18, 2026Disk Forensics

Question

Jason discovered a file named $RIYG6VR.doc in the C:\$Recycle.Bin\<USER SID>\ while analyzing a hard disk image for the deleted data. What inferences can he make from the file name?

Options

AIt is a doc file deleted in seventh sequential order
BRIYG6VR.doc is the name of the doc file deleted from the system
CIt is file deleted from R drive
DIt is a deleted doc file

Explanation

In Windows Vista and later, when a file is deleted it is moved to $Recycle.Bin and renamed using a two-file system. The $R prefix (e.g., $RIYG6VR.doc) stores the actual content of the deleted file with a randomly generated alphanumeric string and the original file extension preserved. A corresponding $I file (e.g., $IYIG6VR.doc) stores metadata such as the original file path, size, and deletion timestamp. The random string does not indicate drive letter, deletion order, or original filename â€” it is simply a unique identifier. Therefore, the only safe inference is that it is a deleted .doc file.

Topics

#Recycle Bin forensics#Deleted file recovery#Windows file system#Hard disk analysis

Community Discussion

No community discussion yet for this question.

Full 312-49 Practice Browse All 312-49 Questions