Eccouncil 112-57 Exam - Topic 4 Question 2 Discussion

In FAT (File Allocation Table) file systems (FAT12/16/32), directory entries are fixed-size records that include an 8.3 filename field. When a file is deleted, FAT typically does not immediately erase the file's content; instead, it marks the directory entry as deleted by replacing the first character of the filename with the special marker byte 0xE5 (often written as E5h). This is a key forensic behavior because it means the file's metadata entry may still be present in the directory table, and the data clusters may remain recoverable until they are reused and overwritten. Examiners can often reconstruct the original filename's first character only through context or by correlating other artifacts, but the remainder of the directory entry (timestamps, size, starting cluster) can still assist recovery.

The other options do not match this mechanism. NTFS uses Master File Table records and marks deletions differently (file record flags and index changes), not by overwriting the first filename byte with E5h. EFS is an encryption feature layered on NTFS, not a distinct file system deletion marker. FHS is a UNIX/Linux directory layout standard, unrelated to Windows disk structures. Therefore, the correct answer is FAT (A).