Unallocated File Space Defined
When files are erased or deleted in DOS, Windows, Windows 95, Windows 98 and Windows NT, the content of the file is not actually erased. Unless DoD certified file deletion software is used, such as NTI's M-Sweep or DiskScrub, data from the 'erased file' remains behind in an area called unallocated storage space. The same is true concerning file slack that may have been attached to the file before it was deleted. As a result, the data remains behind for discovery through the use of data recovery and/or computer forensics software utilities.
Unallocated file space and file slack are both important sources of leads for the computer forensics investigator. The data storage area in a factory fresh hard disk drive typically contains patterns of sectors which are filled with patterns of format characters. In DOS and Windows-based computer systems, the format pattern for a floppy diskette usually consists of binary data in the form of hex F6s. The same format pattern is sometimes used in the format of hard disk drives but the format patterns can consist of essentially any repeat character as determined by the factory test machine that made the last writes to the hard disk drive. The format pattern is overwritten as files and subdirectories are written in the data area.
Until the first file is written to the data storage area of a computer storage device, the clusters are unallocated by the operating system in the File Allocation Table (FAT). These unallocated clusters are padded with format pattern characters and the unallocated clusters are not of interest to the computer forensics specialist until data is written to the clusters. As files are created by the computer user, clusters are allocated in the File Allocation Table (FAT) to store the data. When the file is 'deleted' by the computer user, the clusters allocated to the file are released by the operating system so new files and data can be stored in the clusters when needed. However, the data associated with the 'deleted' file remains behind. This data storage area is referred to as unallocated storage space and it is fragile from an evidence preservation standpoint. However, until the unallocated storage space is reassigned by the operating system, the data remains behind for easy discovery and extraction by the computer forensics specialist.
Unallocated file space potentially contains intact files, remnants of files and subdirectories and temporary files which were transparently created and deleted by computer applications and also the operating system. All of such files and data fragments can be sources of computer evidence and also security leakage of sensitive data and information. The following provides some examples of how data and information can end up in unallocated file space.
The computer user attempts to write a file to a floppy disk and an insufficient storage space message is displayed by the operating system before the file is completely written to the diskette. A review of the directory of the diskette shows no entry for the file that was partially written. What has happened is that DOS (or Windows) created a file and wrote as much data to the disk as there was available unallocated storage space. DOS (or Windows) then discovered that there was insufficient space to write the remainder of the file and it 'deleted' the newly created file but the data that was written to diskette remains behind.
The computer user prints the contents of a word processing file stored on a floppy disk. DOS (or Windows) writes a copy of the file to a temporary file on the hard disk while it gets the attention of the printer. Once the file has been printed, DOS (or Windows) 'deletes' the temporary file. The temporary file is now stored in unallocated storage space on the hard disk drive. This creates a potential security problem and the situation is beyond the knowledge of most computer users.
The computer user uses DOS (or Windows) to format the hard disk drive on an older computer prior to donating it to charity. Prior to the format, the hard disk drive contained thousands of files which related to past E-Mail messages, word processing and finance. The computer user is left with a false sense of security and is unaware that all of the data still exists and is now stored in unallocated storage space. All of the information previously stored on the computer hard disk drive remains on the computer hard disk drive until it is overwritten. It can easily be identified and extacted using computer forensic tools and processes.
The computer user repartitions his hard disk drive using FDISK or a program like Partition Magic and installs a new operating system. Prior to the process the computer hard disk drive contained thousands of files which related to business transactions and E-Mail communications. The computer user is unaware that much of the original data remains on the computer hard disk drive in unallocated storage space for identification and extraction by the computer forensics specialist.
One non-obvious source of ambient data occurs when a program is writing data to a drive and the computer system crashes or is turned off before the file could be closed. The data's still on the disk, but the directory entry was not updated.