Announcement

Collapse
No announcement yet.

Unallocated Space

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Unallocated Space

    This question mainly aims at making sure that we use the word "unallocated" in the same manner.

    Unallocated space on a partition contains sectors with data which is not any longer maintained in the file system like deleted files. In $MFT the entry would show that the file was deleted and the related sectors are unallocated. True or not?

    Which would mean that index search results found in the unallocated space belong to deleted files? True or not?

    And does the term "free space" in Raw Disk Search results refer to entries found in unallocatd space? or, are Free Space and Unallocated Space different objects?

    Best regards
    Last edited by Forensik; Sep-11-2012, 12:04 PM.

  • #2
    It is a bit more complex than this. OSF supports more file systems than just NTFS, and in many cases the $MFT file won't exist. Also there are other file system files involved when dealing with NTFS, like the $BITMAP file. Also file allocation is normally done by the cluster and not the sector. Deleted files might or might not have a entry in the $MFT.

    I would word it more like this,
    Unallocated space within a NTFS partition are the clusters which are not allocated to any file in the file system. This can include clusters that have never been used and clusters containing deleted files.

    In the case of the Create Index function a string extraction is done on each cluster in unallocated space. This differs slightly from the deleted file search function (which can also scan unallocated space). The deleted file search function doesn't do any string extraction but instead looks for whole files which can be recovered. Doing a string extraction isn't effective in cases where you are searching for non textual data. For example string extraction on a .ZIP file won't recover very much of interest.

    Of course a cluster is made up of disk sectors. (8 sectors per cluster in most cases, but it can vary).

    And yes, this is the same thing as free space in the raw disk viewer.

    Comment


    • #3
      Thank you very much for this helpful information.

      Originally posted by David (PassMark) View Post
      It is a bit more complex than this. OSF supports more file systems than just NTFS, and in many cases the $MFT file won't exist. Also there are other file system files involved when dealing with NTFS, like the $BITMAP file. Also file allocation is normally done by the cluster and not the sector. Deleted files might or might not have a entry in the $MFT.

      I would word it more like this,
      Unallocated space within a NTFS partition are the clusters which are not allocated to any file in the file system. This can include clusters that have never been used and clusters containing deleted files.

      In the case of the Create Index function a string extraction is done on each cluster in unallocated space. This differs slightly from the deleted file search function (which can also scan unallocated space). The deleted file search function doesn't do any string extraction but instead looks for whole files which can be recovered. Doing a string extraction isn't effective in cases where you are searching for non textual data. For example string extraction on a .ZIP file won't recover very much of interest.

      Of course a cluster is made up of disk sectors. (8 sectors per cluster in most cases, but it can vary).

      And yes, this is the same thing as free space in the raw disk viewer.

      Comment

      Working...
      X