Consider that you are investigating a machine running an Windows OS released prior to Windows Vista. You are trying to gather information about the deleted files by examining the master database file named INFO2 located at C:\Recycler\
Consider that you are investigating a machine running an Windows OS released prior to Windows Vista. You are trying to gather information about the deleted files by examining the master database file named INFO2 located at C:\Recycler\
Dd5.exe means this is the fifth file deleted from the D drive, and it is an executable file (.exe). In pre-Windows Vista systems, the Recycle Bin renamed deleted files using the format D<drive letter><sequential number>.<original extension>. 'D' signifies that the file was deleted, the next letter indicates the drive from which it originated, the number shows the deletion sequence, and the extension remains unchanged.
Assuming WindowsXP the right answer is A - Reference https://abelcheung.github.io/rifiuti2/assets/Forensics_Recycle_Bin.pdf
answer must be A for INFO 2 (dxy.ext where D means delete, x the drive letter and y y the file delete and the extension)
Prior to Windows Vista, a file in the Recycle Bin was stored in its physical location and renamed using the syntax: D<original drive letter of file><#>.<original extension> “D” denotes that a file has been deleted. In earlier versions of Windows, the deleted files were renamed by the OS using the following format: D<original drive letter of file><#>.<original extension> For example, in the case of a Dxy.ext file in the Recycled folder, “x” denotes the name of drive such as “C,” “D,” and others; “y” denotes the sequential number starting from one; and “ext” is the extension of the original file. So the answer should be A
A is correct (same issue as question 411) There is a mistake in the CHFI V10 book. In page 429 the example is wrong. Is is written that: "De7.doc is the eighth file". It is false it is the 7th. However the text in page 431 is correct. It is written that "Dxy.ext the "y" denotes the sequential number starting from one". I have resintalled an XP machine to check and I confirm that the sequence starts at 1. So "Dd5" means the fifth file deleted.
Should be A
Agreed for @Adi_N, but the sequential number should be increased by "1" as per CHFI V10 book Also As per CHFI V10 book example : De7.doc : d drive, eighth file deleted, doc extension Another reference : https://jeffpar.github.io/kbarchive/kb/136/Q136517/
sorry for mistyping error, e drive not d
Page 429 "De7.doc = (File is deleted from E: drive, it is the “eighth” file received by recycle bin, and is a “doc” file)"
Prior to Vista Drive starts with 0. The Sixth file D is the correct ans.