Computer Forensics Whitepaper - Hidden Computer Data Uncovered

Introduction

Most everyone today has heard that deleting a file doesn’t necessarily mean the information is removed from the computer system. The intent of this paper is to provide a better understanding of how deleted information is revealed to the Computer Forensic Investigator. The target audience for this paper is anyone with a desire to have a deeper understanding how a computer stores information.

Computer Disk Operations

There are three layers to consider: (1) the hardware layer, (2) the Operating System layer, and (3) the application layer. The primary focus of this paper will be on the first two layers. We will cover the third briefly.

1. The Hardware Layer
Computer disks come in various shapes, capacities (how much information it can store), and interfaces (how it communicates with the computer). You may have heard of terms like platter, track, cylinder, and sector used in reference to computer disks. These are all part of the hardware layer.

Most computer disks are comprised of one or more platters specially coated to allow information to be stored magnetically. The platters are stacked on a spindle and rotated at high speed from 4,200 to 15,000 revolutions per minute. Both surfaces of a platter can hold tens of billions of individual bits of information. Each platter has two read/write heads dedicated to it, one on top and one on the bottom.

The platter is broken into tracks (tightly-packed concentric rings). As shown in Figure 1, these tracks are concentric, unlike the continuous spiral of a phonograph record. Each platter contains thousands of these tracks, with the number getting larger as technology improves.

Figure 1: Platter with Four Tracks

Most disks have multiple platters stacked on top of each other, and a cylinder consists of identically positioned tracks from each platter (see Figure 2). For example, each “Track 0”, from both sides of all platters, collectively comprises one cylinder.

Figure 2: A Cylinder

Back to tracks; a track holds entirely too much information to be suitable as the smallest unit of storage on a disk, so each track is further broken down into sectors (see Figure 3). A sector can hold 512 bytes of information. Today's computer disks can have thousands of sectors in a single track. Just like the track density on a platter, the sector density increases as technology improves.

Figure 3: A Sector

2. The Operating System Layer
The Operating System (OS), such as the various Microsoft Windows products, Linux, Unix, and MacOS, hides the application layer (Section 3, below) from the complexities of the hardware layer (Section 1, above). The OS creates “clusters”, “partitions”, and “file systems” on the disk.

Simply put, a partition is a way to break a physical computer disk (the actual hardware device) into one or more logical self-contained areas. Most computer disks will contain a partition that holds manufacturer supplied device drivers and default applications. A second partition is then created to hold the OS used to run the computer. In Microsoft Windows, this second partition would typically be known as the “C Drive” or “C:\”.

A computer’s file system is similar to a paper filing system. Printed records must be stored in a manner that allows for the creation, retrieval, addition, sorting, and organization of information. A file system creates and maintains structures allowing files to be created, moved, copied, deleted, located, truncated, and appended. There are many file systems available, such as, FAT, FAT16, FAT32, NTFS, UFS, EXT2, EXT3, and more. All Operating Systems can support one or more file systems.

A cluster is a set of consecutive sectors. Depending on the OS and file system being utilized, the number of sectors in each cluster will vary. For example, most Microsoft Windows XP systems utilize the New Technology File System (NTFS) with eight sectors per cluster.

Because the size of each sector is 512 bytes, each cluster is 4,096 bytes, or 4K in size (8 sectors x 512 bytes each). A single cluster can typically store about 400 words, such as the first few paragraphs of a pleading. Important: One cluster is the minimum amount of space allocated to any given file, though most files created by the normal computer user will require the use of more than one cluster.

Allocated Space
Any cluster currently assigned to a file is considered allocated. Figure 4 below represents an excerpt of an allocated cluster. The first column indicates the byte position within the cluster, the center section contains the data in hexadecimal format, and the last column shows the textual representation of the hexadecimal code. While Figure 4 is a common way for computer forensic examiners to view clusters of a computer disk, all information is actually stored in binary format (1’s and 0’s).

Figure 4: An Allocated 4096 Byte Cluster with 45 Bytes of Data

Unallocated Space
Any cluster that is not currently assigned to a file is called unallocated. Figure 4 could represent an empty, unallocated cluster if the first three lines were all zeros. Important: Because a cluster can, and often does, contain data even when not currently assigned to a file, Figure 4 above could also represent unallocated space for a deleted file that still contains data.

File Slack
File slack focuses on the back end of a cluster. Files are normally written from the beginning to the end of the cluster until full, then another cluster is allocated until full, continuing until the entire file is written. However, most files do not entirely fill the last cluster allocated for its use, and the space from the end of the file to the end of the cluster is called file slack.

An example using a VCR can illustrate this. You put a new 2 hour tape into your VCR, and tape your favorite one hour legal drama. The remaining one hour of blank tape is analogous to file slack. After you’ve watched your one hour show, you rewind the tape and then tape a thirty minute sitcom. After watching the sitcom, you notice the last half of the first show is still there. In this case, the last 30 minutes of the legal drama and one hour of blank tape equate to file slack.

As you reuse tapes, most of them will eventually contain parts of previous recordings. The same is true of computer files. Tens of thousands of files on most computer disks don’t take up even a single cluster, and thus contain parts of previous files. Figure 5 below represents a small file saved on a computer disk.

Figure 5: The First Sector of a Cluster - File Deleted

Once the file is deleted, its clusters are available for reallocation to another file. In Figure 6, we see the new file doesn’t reach to the end of the cluster. See the original file’s data in Green. Important: Because of file slack, the potential exists for a very large amount of deleted information to be found.

Figure 6: New File Partially Overwrites Old File

3. The Application Layer
As mentioned earlier, we will only cover this layer briefly because of the sheer number of applications available. One of the main purposes of an application is to add structure to the information stored on a file system. Applications enhance the capabilities of the file system by allowing for formatting, organization, insertions, and in-line modifications to the information begin stored within the clusters.

With few exceptions, applications will, at some point, ask the Operating System for clusters to use for the storage of information. Because applications vary widely in how they utilize the available disk space, each application brings with it the potential for a different method of recovering its information. Additionally, many applications store additional, sometimes hidden, data which can add valuable evidence to any case.

Summary

We covered the fact that the cluster is the smallest unit of storage on a computer and that each cluster will be comprised of multiple 512 byte sectors. We also mentioned Microsoft Windows XP, the most popular desktop Operating System today, typically uses NTFS as a file system with eight sectors per cluster providing us with 4096 bytes of storage for each cluster.

Here are some numbers to consider obtained from an average laptop computer:
21,195,751 Total Clusters
13,762,379 Unallocated Clusters (All with the potential for deleted data.)
109,382 Files Saved on Disk (All with the potential for file slack.)
45,000+ Files Smaller than a Single Cluster

While information can be recovered from the thousands of undeleted files within the computer disk, with numbers such as those listed above, file slack and unallocated space are one of the most important sources of information in most computer forensic investigations. As computers continue to become more prominent in our everyday lives and as computer disks get larger and larger, there is an ever growing potential for finding valuable evidence to support your case.

Proper analysis of this overabundance of information requires more than just a basic understanding of computers and the simple ability to recover data. Make sure your Computer Forensic Expert is up to the challenge of recovering, correlating, and analyzing this plethora of information.

For more information about PROTEGGA LLC or this whitepaper, feel free to contact us:
AskThePman@protegga.com
214.227.9752
[back]