In Windows, which component stores metadata about files and directories and can reflect deletions when files are removed?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Prepare for the Digital Forensics, Investigation, and Response Test. Study with multiple choice questions that include hints and explanations. Enhance your understanding of digital forensics principles and get ready for your exam!

Multiple Choice

In Windows, which component stores metadata about files and directories and can reflect deletions when files are removed?

Explanation:
In NTFS, the Master File Table is the central store for metadata about every file and directory. Each file or folder has a record in the MFT that holds important attributes—such as its name, size, timestamps, permissions, and where the actual data is located on disk. Because the MFT is the repository of this metadata, it is the primary place where Windows records state changes to the filesystem, including deletions. When a file is deleted, its MFT entry is marked as no longer in use and the directory reference to that file is removed; the entry itself may persist for a time until it’s overwritten, and the system’s change logs can record that deletion. This combination makes the MFT the best source for understanding what existed on the filesystem and when deletions occurred, which is why it’s essential in forensic analysis. The other components don’t serve this role. The Page File holds virtual memory contents, not file metadata. The Registry stores configuration and system settings, not per-file metadata. The Indexing Service builds and maintains a search index, not the fundamental metadata about each file and its deletion events.

In NTFS, the Master File Table is the central store for metadata about every file and directory. Each file or folder has a record in the MFT that holds important attributes—such as its name, size, timestamps, permissions, and where the actual data is located on disk. Because the MFT is the repository of this metadata, it is the primary place where Windows records state changes to the filesystem, including deletions. When a file is deleted, its MFT entry is marked as no longer in use and the directory reference to that file is removed; the entry itself may persist for a time until it’s overwritten, and the system’s change logs can record that deletion. This combination makes the MFT the best source for understanding what existed on the filesystem and when deletions occurred, which is why it’s essential in forensic analysis.

The other components don’t serve this role. The Page File holds virtual memory contents, not file metadata. The Registry stores configuration and system settings, not per-file metadata. The Indexing Service builds and maintains a search index, not the fundamental metadata about each file and its deletion events.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy