UNALLOCATED SPACE

"Unallocated space" is an important term found frequently within discussion of a digital forensic examination, and is thus worthy of explanation. When a new file is created, the computer's operating system finds available space on a hard drive (or other data storage medium), and dedicates that space to the storage of that file's data. That space thus becomes allocated to that file's data. If the file is deleted, the operating system removes the allocation and marks that hard drive space as available for re-use, transforming that area of the hard drive into unallocated space. The operating system does not, however, actually delete the file's data. In fact, it doesn't touch the data at all; it remains on the hard drive exactly as it is, until that space is actually re-used for new data. Depending on how congested the hard drive is and how the computer is used, this residual data can remain untouched in unallocated space for long periods of time, thus rendering it forensically valuable.

Consider this analogy: Assume that a certain library places a red "X" on the index cards of books that are no longer wanted. A library worker goes to the library's card catalog and locates the index card for WAR AND PEACE. She uses a red marker to draw a large "X" across the face of the card, then places that card in a separate drawer, accessible only to library employees, labeled "Available Shelf Space." She does not actually remove WAR AND PEACE from the shelf, however, until that particular shelf space is actually needed for another book. Until that time, the actual book and all its content remains in place on the shelf. It's not as easy to find since its index card has been removed from the card catalog, but WAR AND PEACE is still there. It can be found by a library user who is willing to walk the shelves and find it and, once found, it can still be pulled from the shelf and read. This simple analogy is illustrative of the way residual data can remain in a hard drive's unallocated space for long periods of time. It also demonstrates the critical importance of preserving critical hard drives via forensic imaging as soon as possible once it becomes known that the information may be relevant to a legal proceeding.