±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 0
New Yesterday: 7
Overall: 27315
Visitors: 49

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Unallocated Clusters

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

Unallocated Clusters

Post Posted: Mon Jun 16, 2008 3:58 am

Can I ask you all a few questions about Unallocated Clusters. I am self teaching (not best way I know) some of the basics using commercial forensic tools. Namely Encase and FTK. One area I am still unsure of is the Unallocated Clusters I find when imaging a physical drive. From what I have read Unallocated Clusters is a sensitive area for getting evidence (in that its not a cert I am going to find anything, certain things wont be preserved in there etc).

So some things I want to focus on are how can you determine when the unallocated storage was reassigned by Windows or whatever Operating System, i.e. indicating that my potential evidence may be gone for good, and no longer retreivable? I assume Unallocated Clusters sometimes contain fully intact files or parts of files. But when I search this are in Encase, say for .jpg extensions in Unallocated, for any hits on .jpg, how can I extract this data out and view the original image (is this "Carving"?) Are there specific tools to do this or can EnCase do this?

I do plan on attending Encase or other Forensic training when I can afford to but I find self teaching and actually testing stuff can be equally as beneficial. Any cheap tools that aid in examining Unallocated Clusters would be useful also, or any manual examination of that area I am willing to test with any pointers you can offer. Can I extract out the whole of Unallocated Clusters just like I would a file for further interrogation with a different tool? Are there techniques to determine where any evidence found in Unallocated Clusters orginally lived etc? It does look like a potential goldmine for an examiner but I need some advice on how to examine it properly.  

paulo111
Member
 
 
  

Re: Unallocated Clusters

Post Posted: Mon Jun 16, 2008 6:02 am

The answer to your question is fairly complex. The details of what may be available in "unallocted space" (and definitions of "unallocated space" vary) are closely related to numerous issues. I'd start with the filesystem.

Understanding how things are stored, deleted and indexed will go a long way to helping you recover from "unallocated space". If you are going for file-system independent methods, then in general you are talking about carving...where the content markers (headers and footers) are used to recover.

If you are looking a genuine recovery, with file meta-data (names, directory entry info, inode info, MFT info), then you must know the file system and how it works. What happens when a file is deleted? How are names allocated? What algorithm does a file system use to allocate space (eg. next available, etc.) ?

The best way to start your self education is to read - I'd start with the File System foundation: File System Forensic Analysis by Brian Carrier (look on Amazon). When you are talking about recovering from unallocated space, then knowledge of the file system is a must.

The short answer to your question is that most tools (Encase, SMART, FTK, TSK, etc.) will have a way of recovering from unallocated...whether it's actually recovering files based on File System artifacts and info, or simple carving.

If you are just learning, then I would suggest that you concentrate on what's going on with the data rather than concentrating on what menu item on any specific software gets what you need. Foundations first...

My $.02

Barry  

bgrundy
Senior Member
 
 
  

Re: Unallocated Clusters

Post Posted: Mon Jun 16, 2008 6:08 am

Paulo,

I fear that you have have misunderstood how Unallocated Clusters work.

Lets say you have a large number of files on your hard drive and that these files all take up contiguous space on that hard drive. The area not being used to store data is what EnCase refers to as "Unallocated Clusters" when all it really means is "Empty Space". If this event all of the empty space is after the files.

Now, lets say that you delete some files and that causes other portions of empty space. EnCase does not show each portion of empty space separately, it groups it all together and shows it as one big 'file' named "Unallocated Clusters". It can be deceptive but this is not a file, its just a name that EnCase gives empty space on the hard drive.

The best way to illustrate this is to look in Disk view in EnCase. Here you can see that any grey area is empty space.

You can extract the "Unallocated Clusters" file from EnCase to examine it elsewhere but this is not recommended.

As for where the extracted data originally lived... its not a simple yes or no answer, sometime you could trace files back to their original location but the most likely scenario is that you will not.

EnCase has the capacity to analyse unallocated clusters and extract data therefrom by using file carving EnScripts but this depends on whether the files were fragmented across the drive before they were deleted, what type of files you are looking for, etc.  

DFICSI
Senior Member
 
 
  

Re: Unallocated Clusters

Post Posted: Mon Jun 16, 2008 7:28 am

- DFICSI
Paulo,

I fear that you have have misunderstood how Unallocated Clusters work.

Lets say you have a large number of files on your hard drive and that these files all take up contiguous space on that hard drive. The area not being used to store data is what EnCase refers to as "Unallocated Clusters" when all it really means is "Empty Space". If this event all of the empty space is after the files.

Now, lets say that you delete some files and that causes other portions of empty space. EnCase does not show each portion of empty space separately, it groups it all together and shows it as one big 'file' named "Unallocated Clusters". It can be deceptive but this is not a file, its just a name that EnCase gives empty space on the hard drive.

The best way to illustrate this is to look in Disk view in EnCase. Here you can see that any grey area is empty space.

You can extract the "Unallocated Clusters" file from EnCase to examine it elsewhere but this is not recommended.

As for where the extracted data originally lived... its not a simple yes or no answer, sometime you could trace files back to their original location but the most likely scenario is that you will not.

EnCase has the capacity to analyse unallocated clusters and extract data therefrom by using file carving EnScripts but this depends on whether the files were fragmented across the drive before they were deleted, what type of files you are looking for, etc.


Do you happen to know the name of these scripts. I am running v6 of Encase but I beleive the scripts from previous versions of Encase can still be utlised in v6.  

paulo111
Member
 
 
  

Re: Unallocated Clusters

Post Posted: Mon Jun 16, 2008 7:34 am

If you look in your bottom-right window and click on EnScript and expand out the folder EnScript->Forensic and click on "Case Processor" this will bring up another window in which you need to click on "Information Finders" and then "File Finder". If you tick the box next to this and double-click File Finder you'll see a number of options which you can set up to search.

Hope this helps.
_________________
The views expressed by me do not reflect on my employer or the quality of work I produce Wink
www.forensic4cast.com 

DFICSI
Senior Member
 
 
  

Re: Unallocated Clusters

Post Posted: Tue Jun 17, 2008 1:19 am

Thanks Both, excellent replies. Just had a go with the scripts...  

paulo111
Member
 
 
  

Re: Unallocated Clusters

Post Posted: Tue Jun 17, 2008 4:25 pm

- paulo111
Can I ask you all a few questions about Unallocated Clusters. I am self teaching (not best way I know) some of the basics using commercial forensic tools. Namely Encase and FTK. One area I am still unsure of is the Unallocated Clusters I find when imaging a physical drive. From what I have read Unallocated Clusters is a sensitive area for getting evidence (in that its not a cert I am going to find anything, certain things wont be preserved in there etc).

So some things I want to focus on are how can you determine when the unallocated storage was reassigned by Windows or whatever Operating System, i.e. indicating that my potential evidence may be gone for good, and no longer retreivable? I assume Unallocated Clusters sometimes contain fully intact files or parts of files. But when I search this are in Encase, say for .jpg extensions in Unallocated, for any hits on .jpg, how can I extract this data out and view the original image (is this "Carving"?) Are there specific tools to do this or can EnCase do this?

I do plan on attending Encase or other Forensic training when I can afford to but I find self teaching and actually testing stuff can be equally as beneficial. Any cheap tools that aid in examining Unallocated Clusters would be useful also, or any manual examination of that area I am willing to test with any pointers you can offer. Can I extract out the whole of Unallocated Clusters just like I would a file for further interrogation with a different tool? Are there techniques to determine where any evidence found in Unallocated Clusters orginally lived etc? It does look like a potential goldmine for an examiner but I need some advice on how to examine it properly.



Hi There

My advice here would be to learn about the file system(s) and how it handles data rather than trying to understand how encase deals with it. If you are going to spend money on training, I would start with something non product specific rather than learning 'point and click' forensics. Im sure that many here will agree that whilst Encase, FTK and the rest are great tools in the right circumstances, unless you know whats going on underneath all sorts of things can go wrong.

Just my 2c worth as well

Cheers
MS
_________________
Mark Stevens
Principal Forensic Investigator
Microsoft Ltd
Network Security Investigations & Forensics 

mas66
Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 2
Go to page 1, 2  Next