Therefore, to expedite the process of reviewing files extracted from unallocated space, we use a software utility called dtSearch. That would an unfair and incomplete evaluation of the potential evidence. We can't simply review until we find material that we're lookingįor, or material that helps our case, and stop. In addition, all of the identified files must be reviewed. In this case several thousand files from each hard drive needed to be reviewed.
The extraction of deleted files can be voluminous. Space and subsequently reviewed them for appropriateness, and (2) we performed string searches through the unallocated spaceĪnd file slack in an attempt to locate data related to the matter being investigated.Įven with the assistance of software tools, this process can be very time-consuming and potentially lengthy. Our approach was twofold: (1) We extracted deleted files out of the unallocated
We used EnCase for this segment of the review. Using a software tool to facilitate the process is the easiest way to accomplish this portion of the analysis. Sometimes data is written to these spaces that may be of value to investigators. Unallocated space, also called free space, is defined as the unused portion of the hard drive file slack is the unused space that is created between the end-of-file marker and the end of the hard drive cluster in which the file Learn More Buy 15.6 Review of Unallocated Space and File SlackĪfter completing the logical file structure review, we focused on analyzing the unallocated space and file slack.