While searching through a computer under investigation, you discover numerous files that appear to have had the first letter of the file name replaced by the hex code byte 5h. What does this indicate on the computer?
While searching through a computer under investigation, you discover numerous files that appear to have had the first letter of the file name replaced by the hex code byte 5h. What does this indicate on the computer?
The files have been marked for deletion. In the context of file systems, especially FAT (File Allocation Table) systems, when a file is deleted, the operating system replaces the first character of the file name with a specific marker (commonly the hex value 0xE5). This marks the file as deleted, but the data remains on the disk until it is overwritten. Therefore, discovering files with the first letter of the file name replaced by the hex code byte 5h indicates that these files have been flagged for deletion.
The hex code byte 5h corresponds to the ASCII character "ENQ" which is a control character used in data communication protocols. When the first character of a file name is replaced by the hex code byte 5h, it indicates that the file has been marked as hidden in the file system. In the Windows operating system, files and folders can be marked as hidden to prevent them from being displayed in normal file browsing operations. Hidden files and folders are typically used to store system files or to protect sensitive data from unauthorized access. However, hidden files can still be accessed and manipulated by users with appropriate permissions or tools. Replacing the first character of a file name with a control character like "ENQ" can be used as a way of hiding files from casual inspection, although this is not a foolproof method of concealing files from forensic analysis.
The correct answer is A. The files have been marked as hidden. In Windows, files with a filename that starts with the hex code byte 5h (which corresponds to the character "E" in ASCII) are considered hidden files. This is a common technique used to hide files from the normal file listing, and is often used by malware or unauthorized users to conceal their activities. Here's a brief overview of the other options: B. The files have been marked for deletion: This would typically involve modifying the file's attributes or moving it to a recycle bin, rather than modifying the file name. C. The files are corrupt and cannot be recovered: There is no indication that the files are corrupt or cannot be recovered. D. The files have been marked as read-only: This would involve modifying the file's attributes, rather than modifying the file name.
The discovery of numerous files with the first letter of the file name replaced by the hex code byte 5h indicates that The files have been marked for deletion (Option B). In the context of file systems, especially FAT (File Allocation Table) systems, when a file is deleted, the operating system replaces the first character of the file name with a specific marker (commonly the hex value 0xE5). This marks the file as deleted, but the data remains on the disk until it is overwritten. The hex code byte 5h is often associated with similar behavior, indicating that these files have been flagged for deletion.
First symbol of the deleted file entry is marked with E5 symbol, so Disk Scanner can assume that this entry has been deleted.
B: https://www.ntfs.com/disk-scan.htm
From CHFI textbook v10 page 428: The OS replaces the first letter of a deleted file name with a hex byte code: E5h E5h is a special tag that indicates that the file has been deleted