Just what is unallocated space, and why is it important? Data and information are located in two areas on a computer’s hard drive: allocated and unallocated space. Allocated space typically contains all active system and user generated data, including email messages, documents, photographs, log files, and database files in an organized structure that allows for easy access and retrieval. Unallocated space on the computer is where deleted documents, file system information, and other electronic artifacts reside on the hard drive, which is often able to be recovered and analyzed through a forensic investigation. Unlike allocated space on the hard drive, the electronic evidence in unallocated space may be overwritten (and thus lost completely) with new data as the computer continues to be used.
Many companies have policies and procedures in place to expeditiously repurpose, and in some instances wipe, the computer of a departing employee so that it can be repurposed and given to a new employee. Whether the company subsequently learns that the departed key employee has gone to a competitor, or the employee left because of a poor performance review or other reason, much of the electronic evidence on the computer that resides in “unallocated space” may have been destroyed because of the repurposing.
In a typical digital forensic investigation, various types of information may need to be analyzed, such as emails, electronic documents, system logs, internet history, chat fragments and multimedia files. Unallocated space can potentially contain all of these types of files and evidence, either completely or partially as fragments, which can remain untouched for long periods of time, even years after the deletion or activity. This data and evidence cannot be viewed by an ordinary computer user, but can be recovered and examined with specialized forensic software and the expertise of a forensic examiner.
For example, nefariously deleted documents can be recovered using data carving tools which enable the reconstruction of file fragments by scanning the raw bytes of the disk and reassembling them. Similarly, fragments of emails from a web-based personal email account of the departed employee to a competitor may exist in unallocated space which would prove the theft of company trade secrets and establish the participation of the competitor in the theft. Unallocated space may also contain fragments or whole chains of instant messages which could prove or disprove a claim of sexual harassment.
In short, unallocated space may contain a wealth of critical evidence which can establish the essential facts in the case. Before repurposing a computer, preserve the evidence and examine it.