Forensics: Unused and Unallocated

What is the different between “unused” space and “unallocated” space on a hard drive?

Unused space is an area of the drive that is not formatted and therefore not available for use by the operating system. When a hard drive is first formatted it is 100% “unused”, however after formatting is is normally 99.8% available for use (unallocated) 0.1% in use (allocated) and  0.%1 unused (the area of the hard drive that was not formatted). Note: These numbers are for scale, and are not exacty at all.

As the hard drive is used up the ratio of unallocated/allocated (available for use/in use) changes, however the size of unused space does not change (unless the drive is re-partitioned).

As the operating system, and therefore the user, cannot access the unused section of the hard drive, data cannot be stored there (in normal use). Therefore it is unlikely, but not impossible to find data in this section. However the unused area should always be searched in a forensics investigation, for the following reasons:

  1. The computer may have been repartitioned and what was  important unallocated space, has now been preserved in the unused section.
  2. The computer may not have been used normally and data has/had been stored there
  3. Its normally a very small physical size in the “used” area, and therefore there is no disadvantage to searching it. If its not small, then it certainly needs to be searched.
Advertisements

One Response to “Forensics: Unused and Unallocated”

  1. LEBATO Says:

    Thanks, very good explanation.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: