Unallocated Cluster...
 
Notifications
Clear all

Unallocated Clusters

12 Posts
9 Users
0 Likes
4,371 Views
(@paulo111)
Posts: 36
Eminent Member
Topic starter
 

Can I ask you all a few questions about Unallocated Clusters. I am self teaching (not best way I know) some of the basics using commercial forensic tools. Namely Encase and FTK. One area I am still unsure of is the Unallocated Clusters I find when imaging a physical drive. From what I have read Unallocated Clusters is a sensitive area for getting evidence (in that its not a cert I am going to find anything, certain things wont be preserved in there etc).

So some things I want to focus on are how can you determine when the unallocated storage was reassigned by Windows or whatever Operating System, i.e. indicating that my potential evidence may be gone for good, and no longer retreivable? I assume Unallocated Clusters sometimes contain fully intact files or parts of files. But when I search this are in Encase, say for .jpg extensions in Unallocated, for any hits on .jpg, how can I extract this data out and view the original image (is this "Carving"?) Are there specific tools to do this or can EnCase do this?

I do plan on attending Encase or other Forensic training when I can afford to but I find self teaching and actually testing stuff can be equally as beneficial. Any cheap tools that aid in examining Unallocated Clusters would be useful also, or any manual examination of that area I am willing to test with any pointers you can offer. Can I extract out the whole of Unallocated Clusters just like I would a file for further interrogation with a different tool? Are there techniques to determine where any evidence found in Unallocated Clusters orginally lived etc? It does look like a potential goldmine for an examiner but I need some advice on how to examine it properly.

 
Posted : 16/06/2008 2:58 pm
(@bgrundy)
Posts: 70
Trusted Member
 

The answer to your question is fairly complex. The details of what may be available in "unallocted space" (and definitions of "unallocated space" vary) are closely related to numerous issues. I'd start with the filesystem.

Understanding how things are stored, deleted and indexed will go a long way to helping you recover from "unallocated space". If you are going for file-system independent methods, then in general you are talking about carving…where the content markers (headers and footers) are used to recover.

If you are looking a genuine recovery, with file meta-data (names, directory entry info, inode info, MFT info), then you must know the file system and how it works. What happens when a file is deleted? How are names allocated? What algorithm does a file system use to allocate space (eg. next available, etc.) ?

The best way to start your self education is to read - I'd start with the File System foundation File System Forensic Analysis by Brian Carrier (look on Amazon). When you are talking about recovering from unallocated space, then knowledge of the file system is a must.

The short answer to your question is that most tools (Encase, SMART, FTK, TSK, etc.) will have a way of recovering from unallocated…whether it's actually recovering files based on File System artifacts and info, or simple carving.

If you are just learning, then I would suggest that you concentrate on what's going on with the data rather than concentrating on what menu item on any specific software gets what you need. Foundations first…

My $.02

Barry

 
Posted : 16/06/2008 5:02 pm
(@dficsi)
Posts: 283
Reputable Member
 

Paulo,

I fear that you have have misunderstood how Unallocated Clusters work.

Lets say you have a large number of files on your hard drive and that these files all take up contiguous space on that hard drive. The area not being used to store data is what EnCase refers to as "Unallocated Clusters" when all it really means is "Empty Space". If this event all of the empty space is after the files.

Now, lets say that you delete some files and that causes other portions of empty space. EnCase does not show each portion of empty space separately, it groups it all together and shows it as one big 'file' named "Unallocated Clusters". It can be deceptive but this is not a file, its just a name that EnCase gives empty space on the hard drive.

The best way to illustrate this is to look in Disk view in EnCase. Here you can see that any grey area is empty space.

You can extract the "Unallocated Clusters" file from EnCase to examine it elsewhere but this is not recommended.

As for where the extracted data originally lived… its not a simple yes or no answer, sometime you could trace files back to their original location but the most likely scenario is that you will not.

EnCase has the capacity to analyse unallocated clusters and extract data therefrom by using file carving EnScripts but this depends on whether the files were fragmented across the drive before they were deleted, what type of files you are looking for, etc.

 
Posted : 16/06/2008 5:08 pm
(@paulo111)
Posts: 36
Eminent Member
Topic starter
 

Paulo,

I fear that you have have misunderstood how Unallocated Clusters work.

Lets say you have a large number of files on your hard drive and that these files all take up contiguous space on that hard drive. The area not being used to store data is what EnCase refers to as "Unallocated Clusters" when all it really means is "Empty Space". If this event all of the empty space is after the files.

Now, lets say that you delete some files and that causes other portions of empty space. EnCase does not show each portion of empty space separately, it groups it all together and shows it as one big 'file' named "Unallocated Clusters". It can be deceptive but this is not a file, its just a name that EnCase gives empty space on the hard drive.

The best way to illustrate this is to look in Disk view in EnCase. Here you can see that any grey area is empty space.

You can extract the "Unallocated Clusters" file from EnCase to examine it elsewhere but this is not recommended.

As for where the extracted data originally lived… its not a simple yes or no answer, sometime you could trace files back to their original location but the most likely scenario is that you will not.

EnCase has the capacity to analyse unallocated clusters and extract data therefrom by using file carving EnScripts but this depends on whether the files were fragmented across the drive before they were deleted, what type of files you are looking for, etc.

Do you happen to know the name of these scripts. I am running v6 of Encase but I beleive the scripts from previous versions of Encase can still be utlised in v6.

 
Posted : 16/06/2008 6:28 pm
(@dficsi)
Posts: 283
Reputable Member
 

If you look in your bottom-right window and click on EnScript and expand out the folder EnScript->Forensic and click on "Case Processor" this will bring up another window in which you need to click on "Information Finders" and then "File Finder". If you tick the box next to this and double-click File Finder you'll see a number of options which you can set up to search.

Hope this helps.

 
Posted : 16/06/2008 6:34 pm
(@paulo111)
Posts: 36
Eminent Member
Topic starter
 

Thanks Both, excellent replies. Just had a go with the scripts…

 
Posted : 17/06/2008 12:19 pm
(@mas66)
Posts: 21
Eminent Member
 

Can I ask you all a few questions about Unallocated Clusters. I am self teaching (not best way I know) some of the basics using commercial forensic tools. Namely Encase and FTK. One area I am still unsure of is the Unallocated Clusters I find when imaging a physical drive. From what I have read Unallocated Clusters is a sensitive area for getting evidence (in that its not a cert I am going to find anything, certain things wont be preserved in there etc).

So some things I want to focus on are how can you determine when the unallocated storage was reassigned by Windows or whatever Operating System, i.e. indicating that my potential evidence may be gone for good, and no longer retreivable? I assume Unallocated Clusters sometimes contain fully intact files or parts of files. But when I search this are in Encase, say for .jpg extensions in Unallocated, for any hits on .jpg, how can I extract this data out and view the original image (is this "Carving"?) Are there specific tools to do this or can EnCase do this?

I do plan on attending Encase or other Forensic training when I can afford to but I find self teaching and actually testing stuff can be equally as beneficial. Any cheap tools that aid in examining Unallocated Clusters would be useful also, or any manual examination of that area I am willing to test with any pointers you can offer. Can I extract out the whole of Unallocated Clusters just like I would a file for further interrogation with a different tool? Are there techniques to determine where any evidence found in Unallocated Clusters orginally lived etc? It does look like a potential goldmine for an examiner but I need some advice on how to examine it properly.

Hi There

My advice here would be to learn about the file system(s) and how it handles data rather than trying to understand how encase deals with it. If you are going to spend money on training, I would start with something non product specific rather than learning 'point and click' forensics. Im sure that many here will agree that whilst Encase, FTK and the rest are great tools in the right circumstances, unless you know whats going on underneath all sorts of things can go wrong.

Just my 2c worth as well

Cheers
MS

 
Posted : 18/06/2008 3:25 am
(@rich2005)
Posts: 535
Honorable Member
 

Or even if you do, they'll probably still go wrong anyway p

 
Posted : 18/06/2008 4:19 pm
(@tootypegs)
Posts: 80
Trusted Member
 

It might be a bit old school recommending books but "forensics file system analysis" is brill. I found this book so helpful in usderstanding your file systems and so on. I know it might not exactly contain the sorts of information you are directly after but I totally recommend it and i think it can only help! )

 
Posted : 18/06/2008 5:44 pm
rjpear
(@rjpear)
Posts: 97
Trusted Member
 

Great Book Suggestion..I agree 100%!

 
Posted : 19/06/2008 1:04 am
Page 1 / 2
Share: