Digital Forensics: Four basic types of disk-based forensic data

Question 1

Allocated Space

Answer 1

The portions of the disk that are marked as actively containing
data.

Question 2

Unallocated Space

Answer 2

The portions of the disk that does not contain active

data.

Question 3

Unallocated Space

Answer 3

There are parts that have never been allocated and

previously allocated parts that have been marked unallocated.

Question 4

Unallocated Space

Answer 4

When a file is deleted, the parts of the disk that held
the deleted file are marked as unallocated and made available
for use. (This is also why deleting a file does nothing, the data is still there until overwritten).

Question 5

Slack Space

Answer 5

Data is stored in specific size chunks known as clusters (clusters = sectors or blocks).

Question 6

Slack Space

Answer 6

A cluster is a minimum size that can be allocated by a file system.

Question 7

Slack Space

Answer 7

If a particular file, or the final portion of a file, does not require the use of the entire cluster then some extra space will exist within the cluster.

Question 8

Slack Space

Answer 8

This leftover space is known as slack space: it may contain old data or can be used intentionally by attackers to hide information.

Question 9

Bad Blocks/Clusters/Sectors

Answer 9

Hard disks end up with sectors that cannot be read due to some physical defect.

Question 10

Bad Blocks/Clusters/Sectors

Answer 10

The sectors marked as bad will be ignored by the operating system since no data could be read in those defective portions.

Question 11

Bad Blocks/Clusters/Sectors

Answer 11

Attackers can mark sectors or clusters as being bad in order to hide data within this portion of the disk.