Why is the unallocated space of a Windows system so important to a forensic investigator?

Slack space is the leftover storage that exists on a computer’s hard disk drive when a computer file does not need all the space it has been allocated by the operating system. The examination of slack space is an important aspect of computer forensics.

To understand why slack space plays an important role in E-discovery, one must first understand how data is stored on computers that have hard disk drives. Computers with hard disk drives store data in a sealed unit that contains a stack of circular, spinning disks called platters. Each platter is composed of logically defined spaces called sectors and by default, most operating system (OS) sectors are configured to hold no more than 512 bytes of data. If a text file that is 400 bytes is saved to disk, the sector will have 112 bytes of extra space left over. When the computer’s hard drive is brand new, the space in a sector that is not used – the slack space – is blank, but that changes as the computer gets used.

When a file is deleted, the operating system doesn't erase the file, it simply makes the sector the file occupied available for reallocation. Should a new file that is only 200 bytes be allocated to the original sector, the sector’s slack space will now contain 200 bytes of leftover data from the first file in addition to the original 112 bytes of extra space. That leftover data, which is called latent data or ambient data, can provide investigators with clues as to prior uses of the computer in question as well as leads for further inquiries. In 2016, for example, the Federal Bureau of Investigation (FBI) revealed that it had reviewed millions of e-mail fragments that resided in the slack space of former Secretary of State Hillary Clinton’s personal servers in order to determine whether or not the servers have improperly stored or transmitted classified information.

Technically, a file’s slack space is the difference between its logical and physical size. The logical size of a file is determined by the file’s actual size and is measured in bytes. The physical size of a file is determined by the number of sectors that are allocated to the file. In most operating systems, including Windows, sectors are clustered in groups of four by default which means that each cluster has 2,048 bytes.

The logical size of the blue file below is 1280 bytes. This file was allocated a cluster of four 512-byte sectors, which means the physical size of the file is 2,048 bytes. The difference between 2,048 and 1,280 is 768, which means that the blue file’s slack space is 768 bytes.

This was last updated in July 2016

Continue Reading About slack space (file slack space)

• What CISOs need to know about computer forensics

• SSDs store data in a completely different way than their magnetic cousins, and, as a result, these drives don’t afford forensic examiners the same opportunities

• Digital Forensics Processing and Procedures

Plenty of career opportunities are available to those interested in cybersecurity, one being as a computer forensic investigator. A computer forensic investigator examines computers and digital devices involved in cybercrimes. Evidence uncovered can be used during court proceedings, and investigators are often called on to testify at criminal and civil court hearings.

For those interested in a career in computer forensics, they can read author and forensic investigator William Oettinger's Learn Computer Forensics: Your one-stop guide to searching, analyzing, acquiring, and securing digital evidence.

In this interview, Oettinger explains what new examiners should expect when starting out, what certifications he earned before becoming a computer forensic investigator and more.

Check out an excerpt from Chapter 2 of Oettinger's book, which breaks down what kind of computer workstation and response kit investigators should invest in to carry out a thorough examination of the digital evidence.

Editor's note: The following interview has been edited for clarity and conciseness.

What prompted you to write Learn Computer Forensics?

William Oettinger: A lot of books out there cover how to do certain bits and pieces of computer forensics investigations, but there isn't anything for the new examiner starting out. Plus, a lot of textbooks cover the theory side. But few cover the hands-on side, and no one else has covered the entire process.

I wanted to provide a point of reference for those at the beginning of their career, for example, to help them pick their equipment, along with other considerations around hardware and software.

What knowledge or experience should investigators have when starting out in computer forensics? Are there any relevant certifications?

Oettinger: They should be curious about conducting investigations and know to ask questions when doing so. From there, they need an understanding of computers and how they communicate.

Even before taking forensic classes, I took courses on Windows. From there, I earned my CompTIA Security+ and Network+ certifications. I also earned my MCSE [Microsoft Certified Solutions Expert, since retired] certification to make sure I understood how Windows works and how it stores data in order to look for artifacts pertinent to an investigation.

What should beginners know as they start their career in computer forensics?

Oettinger: It's easy to get overwhelmed during your first investigation, especially if it involves multiple devices. Make sure to identify the hash list and filter out everything that is known. The hardest part of our job is identifying the user of the devices. Don't go into an investigation assuming the user is anyone specific.

In the book, you wrote that digital evidence is the most volatile piece of evidence. Why is this important for those beginning an investigator career?

Oettinger: Digital evidence is easily destroyed, especially accidentally. Physical evidence is much easier to handle. For example, with fingerprints, you dust them and place tape on them, put that tape between Plexiglas, and it's ready to be analyzed. The same with blood. These physical items aren't easily destroyed. Some of it may get destroyed during the testing process, but you usually have enough left over to communicate with a third party about it.

The same isn't true of digital evidence. You have a container, which could be a hard drive with spinning platters, a solid-state drive or a USB device, and that's how the evidence is stored. People still don't understand how the file system works. They don't realize how fragile it is and that you can ruin evidence by plugging a USB drive into the PC and causing a static electrical discharge. One zap can ruin your chip and make the device unreadable. I've seen that happen a couple times to senior members of the department.

So much can go wrong so fast with digital evidence. You have to take special precautions to keep it safe, such as using a clean room. Also, be sure to work with a copy of the evidence rather than on the evidence itself. You don't want to accidentally alter digital evidence, which is very easy to do. For example, just connecting evidence to a Windows device makes it start writing information to the disk. Use a write blocker to prevent changing evidence just by connecting to it.

You have to understand the digital evidence and its limits and then be able to explain to a third party why it's important and how it got there, as well as what you did to protect the state of the digital evidence and ensure that you didn't make any changes.

What is the most difficult aspect of any computer forensic investigations?

Oettinger: The sheer amount of information you have to go through to find what is pertinent to your investigation. We're talking about hard drives in excess of 1 TB. People keep devices longer because capacity has increased, and that results in so much information. What makes things even more difficult is if a user has technical knowledge. I'm working a case right now where the subject hides contraband images in MP3 files. I have to go through and scan each and every MP3 file to see which ones have been altered. Another difficult aspect is if a device has multiple users. Finding out which person is responsible is that much tougher.

What are common tools or applications used during an investigation?

Oettinger: I use X-Ways primarily for desktop examinations. I also use Belkasoft Evidence Center X. I just started using Magnet Axiom for device investigations; I was a Magnet user 15 years ago when it had Internet Evidence Finder.

Are computer forensic investigators expected to testify in court?

Oettinger: It depends on who the investigator works for. I focus on the criminal side of things because civil tends to be messier. At a local, state and federal level, the subject often agrees to plead guilty to a certain set of charges and gets a sentence. Nine times out of 10, this is because digital evidence is so overwhelming that the government offers a reduced set of charges in exchange for the guilty plea to save time and money.

I also work military investigations. The military is much more liberal with what it will charge suspects with, so cases go to trial more often than they do in comparison to the state or federal systems.

Any advice for newer computer forensic investigators as they prepare to testify?

Oettinger: Be careful when you testify in court and talk to nontechnical people. It's easy for them to misconstrue facts, for example, involving unallocated space. Nine times out of 10, they're going to assume a file is in an unallocated space because the user did an action that caused it to be placed there. That's not always accurate. If investigators find a file in unallocated space, the only thing we can say is that it was on the device at one time -- especially if there are no other file system artifacts to provide more information. If you try to attribute that file to a specific user and don't have any further proof beyond the existence of the file, you can't say the user in question deleted it. You can't say anything beyond that the file is there in unallocated space. That is a conversation I have consistently with lawyers, judges and juries. I have to explain the concept that not everything has a user-initiated action.

This was last published in October 2022

Dig Deeper on Careers and certifications

• 

  Equipment to include in a computer forensic toolkit

  

  By: Kyle Johnson

• 

  How diplomatic immunity silenced the prosecutor who coordinated Sweden’s EncroChat probe

  

  By: Bill Goodwin

• 

  How Forensic Architecture uses tech to protect human rights

  

  By: Sebastian Klovig Skelton

• 

  electronic discovery (e-discovery or ediscovery)

  

  By: Alexander Gillis