Data types

Active Data

• Data the operating system can "see" and use

• Files and folders that appear in Windows
Explorer
• Reside in allocated space
• Can be acquired by copying files
 Latent Data

• Data that has been deleted or partially

overwritten
• Invisible to OS
• Does not appear in Windows Explorer
• A bitstream or forensic image is required to
acquire this data
 Archival Data

• Also called Backups

• Commonly stored on
– External hard drives
– DVDs
– Magnetic tapes
– Cloud backup services like Iron Mountain or Symform
 Legacy Archival Data

• Made with software or hardware that is no

longer in production
• To acquire the data, you need to get old
devices
– User's groups
– eBay
• Image: PDP-11 at
Defcon 17
Computer File Systems
 File System

• Keeps track of used and free sectors

• Location of each file
• Filename
• Last modified date
• Permissions
 FAT (File Allocation Table)

• Oldest and simplest file system

• FAT12 (for floppy disks)
• FAT16 (2 GB max. partition size)
– 4 GB on Win 2000 (link Ch 2p)
• FAT32 (Common on USB drives)
– Not used on Windows XP or later
• FATX for the X-Box
• exFAT used for Windows CE
 NTFS (New Technology File
System)

• Used by Win XP, 7, and Server

• Advantages
– Journaling (recovers from errors)
– Encryption
– Permissions
– Uses B-Trees for fast searches
 HFS+ (Hierarchical File System)

• Used by Apple products

• Also uses B-Trees
• Related versions
– HFS
– HFSX
 B-Tree

• An way of storing objects so they can

be searched quickly
– Image From Wikipedia
Allocated and Unallocated
Space
 Space on a Hard Drive

• Allocated
– Active data
– In use
– Can be seen by OS
• Unallocated
– No longer in use
– Slack space (Drive slack)
– Invisible to OS
 Space on a Hard Drive

• Host Protected Area and Device

Configuration Overlays
– Hidden area on a hard drive
– Difficult to detect
– Not used by OS
– Stores device firmware and data
– Accessed by firmware update routines, which can be reverse
engineered
 Data Persistence

• Old Data is Left in Slack Space

– Unallocated clusters
– Remains on drive until overwritten
– Can be years
• Even an Overwrite may not get it all
– If the new file doesn't use all the sectors
 Magnetic Drive Storage

• Sector = 512 bytes

– All data is read and written a sector at a time
• Cluster
– Varies, often 4096 bytes = 8 sectors
– OS can only use space a cluster at a time
 Example

• BIG file: 4000 bytes

– Written onto disk
– Nearly fills 8 sectors = 1 cluster
• Delete BIG file
• Save SMALL file on same cluster
– SMALL file: 1000 bytes
– Only uses 2 clusters
 Drive Slack

Sector Before After

------ ------ ------
200 BIG SMALL
201 BIG SMALL
202 BIG BIG
203 BIG BIG
204 BIG BIG
205 BIG BIG
206 BIG BIG
207 BIG BIG
 Page File (Swap Space)

• Used for virtual memory

– Temporary storage when your computer runs out of
available RAM
– Windows puts data here even when RAM is not full
– It also loads old data from swap back into RAM
– I once found something years old in my RAM
 Potential Page File Contents

• Passwords
• Fragments of images or documents
• Anything else from RAM
• BUT there is no timestamp, so it will be hard
to connect to a specific user or event
 Hiberfil.sys

• Contains entire RAM contents

– Filled when a computer hibernates
 Whole Disk Encryption

• Because of the Page file and the Hiberfil

– You can never be sure where your data is
• Whole Disk Encryption
– The only way to be sure all your data is protected
– Microsoft BitLocker
– Apple FileVault
– TrueCrypt (Open Source)
 Q&A

http://fpt.edu.vn 05/20/24 23