In today’s modern age, the computer has become the base of operations for nearly everyone, both innocent and guilty. A criminal often has incriminating files on their computer – whether they be text, audio or visual evidence of wrongdoing, or a confession, or what have you. They do not want this information to be seen by the police or other investigators in the event of questioning, as it would incriminate them and destroy any potential defense. As a result, they delete it the way they normally would on a Microsoft Windows computer – they drag and drop the file to a Recycle Bin, right click and hit ‘empty Recycle Bin.’ They see the icon change to an empty trash can, and that is that. Or is it?
A computer, specifically one running the Microsoft Windows operating system, stores data in a number of different ways. There are a couple ways in which these files are stored; first, there is the hard drive itself. It carries the capacity to hold a great variety of data through the help of a file system (like NTFS or FAT32). A file system’s job is to organize and segment the data into a way that is more accessible to the user (folders, directories, etc.). Also, RAM (Random Access Memory) can be used to store data, but this is on a more temporary basis. This gives the computer added power to run more complex programs more quickly – the more RAM you have, the more wiggle room your computer has to run advanced applications.
In simple terms, a file is organized in a file system into segments called clusters or blocks. A file system is made up of free blocks that are available to be filled with data. In a perfect system, files are stored in continuous blocks that are connected to each other, keeping the file together. For example, a 3000 kilobyte file could fit into three 1000 kilobyte files; three of these blocks would be filled with part of this file, and stored next to each other in order to access the file quickly when the user calls for it.
When you delete a file, the space that it originally filled still remains – all that has happened is that the file system marks data in a different way, and takes out all references it has in the directory structure. As a result the computer merely marks it as unallocated space; this does not necessarily mean that the file is gone, as the physical disk still contains it. Slack space is defined as the space which remains between the final byte of one file, and the point where a cluster begins for a new file. Often, this is also the case when someone inserts a new file into data which has had a previous file in it, but it does not quite fill the cluster – that leftover room in the unallocated space is called slack space. Slack space can be very helpful to computer forensics professionals; the remaining portion of the deleted file still remains in that slack space, and it can be recovered for later use (Olzak, 2007).
Another phenomenon to pay attention to is swap space; virtual memory expands RAM with the disk drive space, allowing for a greater level of memory than is included in the RAM sticks. Often the operating system will move data which is stored in this RAM to the disk, so the RAM can be freed up for more urgent operations. The space wherein this data is deposited is swap space; pagefile.sys is where you would find it on a Windows XP computer. Swap files are fantastic reservoirs of information, such as plain text data or encryption keys. Access the data with a disk maintenance program, and you can find a lot of data that has simply been ignored by the owner of the computer (Olzak, 2007).
Hibernation files are files that store information in order to prevent it from getting lost whenever a computer goes into sleep mode. This is the mode between going ‘away’ and completely shutting down the computer, where it is effectively not running, but able to get back up and running again without completely turning off the machine. In order to save some temporary data that is in RAM at the time of hibernation, it is stored in a hibernation file. By looking in a hibernation file, a great deal of information can be gleaned (Olzak, 2007).
Often, over time data stored on a computer will become fragmented; when this happens, the data is stored in a manner that is far from efficient, making the computer store the same information over a greater amount of space. This fragmented space means that less data is storable than if there was no fragmentation. Three varying kinds of fragmentation exist; external, internal, and data fragmentation. While there are often advantages to fragmentation (keeping a system simpler or faster), most recommend that computers are defragmented regularly to keep data stored in an organized manner on a hard drive.
With internal fragmentation, storage is allocated to certain bits of data, but it is not actually used. This wastes this space, as it is ‘internal’ to the allocated space for the data, but remains unused. This type of fragmentation is very tricky to get rid of; one often has to change the design of the data altogether. Often, there is little that can be done to deal with a file that has been fragmented in this manner, unless one is willing and able to completely change it. In this context, internal fragmentation is of tertiary importance to the data one desires to recover; in some cases, however, this fragmentation can lead to bleed-through onto unallocated space. This can corrupt a file to a small extent, leaving the rest of it as slack space, the file only partially remaining within the hard drive.
In the case of external fragmentation, time allows the free storage that is still available on a hard drive to get split up into a series of tiny pieces. This makes it unable to be allocated, eating up that space and preventing it from being allocated to its fullest potential. Despite the free storage that is normally available, it cannot be used, since this fragmentation takes place. These smaller blocks can make it impossible to store a larger file where it should normally fit. File systems are especially privy to this phenomenon, since a lot of differently sized files get created and deleted.
Data fragmentation, on the other hand, occurs when a piece of data is split up into a bunch of smaller pieces as time goes on. These pieces are then mixed into what is normally free bits of other data, scrambling them up. When this happens, the computer takes longer to access all of the file, since it has to do a lot more looking around to find the whole thing. This slows down computer performance dramatically, and makes for a very disorganized hard drive.
The data blocks can become scattered as files are added, moved, or deleted; the remaining blocks can get separated from each other, leading to greater time needed the file in its entirety. The defragmentation tool on a normal computer is meant to reorganize the data blocks in the file system to set them next to each other again and make the data easier to access. All of these different types of fragmentation help to bring about the phenomenon of slack space, which is a great way to recover data thought deleted on someone’s computer.With this in mind, data recovery can be quite simple, even when the target has deleted the file from his computer.
Unallocated space is not immediately erased; this leaves forensic data recovery specialists the chance to retrieve that data using unique equipment. All that it means to delete a file is to remove all links to it from the file system, at least until a new file is randomly assigned to that unallocated space. In that instance, it can be overwritten; however, until then, that data merely sits on the hard drive, inaccessible but for the equipment that computer forensics experts have. Even when another file is eventually placed over it, it hardly ever fits neatly over the exact same space, leaving slack space that can also be taken advantage of. While it is not the whole file, bits of data can be retrieved from it, making it an easy task to get deleted files from a target’s computer (CCF, 2011).
In order to retrieve this data, forensics personnel can check out the cluster and size value of the file in its starting position. In an unallocated cluster, forensics can find a good starting point, going to each cluster after it and verifying which ones are unallocated. It is fairly easy to track the trail of unallocated clusters as one continues. Groups of unallocated clusters can be assumed to be the file that is being sought after, and use data recovery programs and hardware to retrieve the information that is stored in that unallocated space. There can be issues to this process; if any of these clusters are allocated to something else, the forensics personnel cannot retrieve the old data, as it has been overwritten. However, what remains in the slack space around it can still be recovered, as nothing has written over it yet. While that does not grant a lot of useful data, often there are bits and pieces that can be of some use. (Carrier, 2004).
A number of things can be done in order to retrieve these files – undelete programs are used to recover and reattach files that reside in unallocated space, and decryption software has the ability to display whatever data remains of an overwritten file whose remnants remain in slack space. With these various methods of data retrieval, it is conceivable to completely recover files that have been deleted by someone wishing to hide that information. In the case of a criminal investigation, it can make sure that the suspect cannot hide from whatever they have done.
In conclusion, a target should never feel as though they can drag a file to the Recycle Bin, empty it, and think that the file is gone forever. With the help of unique retrieval equipment, it is no hard task to get that information back. Due to its semi-permanence in the hard drive, slack space and data located in unallocated space can be found, and the information retrieved from them. Sometimes it might not be a whole file, but often it can be enough to incriminate a target or prove their guilt or innocence in a criminal case. It is not enough to do a few mouse clicks to get rid of an incriminating file, particularly on a Windows system; all that does is sever the links to the file from the operating system. In addition to that, there are a number of other loopholes (swap space, hibernation data) that can store the information, inadvertently copying it where a suspect least expects. Luckily for forensic scientists, a Windows OS is not the only way to access a file, and they know exactly where to look to track down the ghosts of information that are often found in these recovered hard drives.
References
Carrier, B. (2004, May 15). TSK FAT File Recovery. The Sleuth Kit Informer. Retrieved July 25, 2011, from http://www.sleuthkit.org/informer/sleuthkit-informer-14.html
Olzak, T. (2007, May 21). Computer forensics: Finding "hidden" data. TechRepublic. Retrieved July 25, 2011, from http://www.techrepublic.com/blog/security/computer-forensics-finding-hidden-data/232
What is the difference between unallocated space and active or allocated space?. (n.d.). computer-forensics.net. Retrieved July 25, 2011, from http://www.computer-forensics.net/what-is-the-different-between-unallocated-space-and-active-or-allocated-space?/
