Saturday, March 22, 2014

Recovering Unallocated Space, Free Space, and Slack Space

This information came from the following website:

http://my.safaribooksonline.com/book/networking/forensic-analysis/9780072226966/data-analysis-techniques/ch11lev1sec7

After you perform a forensic duplication of media, and you have recovered as many files as you can, there is still data left on the evidence media that you will want to review. The remaining data is stored in slack space, unallocated space, and free space.

In order to understand slack space and unallocated space, we must first review what an allocation unit or cluster is. Operating systems arrange all data stored on a hard drive into segments called allocation units (also called clusters). For example, an operating system that uses 32K clusters reads and writes data from a hard drive 32K at a time. It cannot read less than 32K of data from a hard drive, and it cannot write less than 32K at a time to the hard drive. However, very few files have the exact amount of data to occupy an entire cluster or set of clusters. Therefore, when an operating system that writes 32K clusters to a hard drive is being asked to save a 20K Microsoft Word document, there is 12K of unused space called file slack. In our example, there may be remnants of previous files in this 12K of file slack.

Unallocated space is the area of the hard drive not currently allocated to a file. Fragments of deleted files are often strewn across unallocated space on a hard drive.

Free space is the portion of the hard drive media that is not within any currently active partitions.

No comments:

Post a Comment