Deleting Isn't Deleting
Today’s blog is about deleting files and file slack space, a rich source of evidence for the forensic examiner—and a favorite topic of mine.
Most people have heard the expression “formatting a disk.” Formatting a drive divides up the space on the drive into pieces called sectors. Each sector has a numeric address. As an application needs disk space, the operating system assigns it enough sectors to fill its needs. To keep track of “who’s got what,” the operating system keeps a directory that is much like a phonebook. When a user needs to access some data, the operating system goes to the directory and looks up the data’s location.
But what happens when you delete a file that was stored in one or more of these sectors? Again, the operating system goes to the directory and finds the data’s location. However, rather than actually deleting (removing) the data, all the operating system does is place a special mark in the directory indicating the disk space is no longer needed and can be reassigned to other applications that need space. Nothing is done to the file itself. The file just remains on the drive
until the operating system reassigns the space to some application. It is much like a renter who is told by the landlord “I’m going to put the house on the marked, but you can stay until the new owner moves in.”
What happens when the operating system eventually reassigns the space? The first thing to know is that when disk space is needed, operating system assigns whole sectors at a time. That is, an application needing 2 ½ sectors would be assigned a full 3 sectors. When the information is
written to disk, the first 2 ½ sectors is over-written, leaving the last ½ sector unchanged. This unchanged space between the end of the file and the end of the sector is called slack space or simply slack.
What is in the slack space? Remember, when a file is deleted the operating system only marked the space as available to be reused. If a new file only takes up a portion of the sector, the old data “stays” there until it, too, is eventually overwritten. In the example of the file needing 2 ½ sectors, the last ½ sector contains whatever was stored there before the overwriting occurred.
Slack space has the potential to contain any information that was ever stored—or even viewed—on the computer. Photos, documents, credit card numbers, internet browser histories, you name it. The data in the slack space may be whole files or simply fragments of files (most often a mix of the two), but a forensic engineer can view, retrieve and catalog the evidence found in slack space.
Slack space is a good example of the difference between a user doing a "copy-and-paste" and a forensic examiner making a valid forensic image. Using "Copy" in our example, only the 2 ½ sectors would be copied, while a valid forensic image copies the entire 3 sectors.
The bottom line? 1, Don't assume that something is gone off your computer just because you can't see it! 2. And the data in slack space can be the very piece of evidence you need in a case.
