Searching Unallocated Space in EnCase
I am very new to EnCase and am still a bit confused about searching unallocated space. I understand the concept that the clusters allocated to the file are released by the operating system and that some data may still be there. However, I do not understand why you need to conduct a separate search in unallocated space. If I conduct a keyword search on the entire physical drive is it not already searching unallocated space? Or does this search only apply to the headers of graphic files and video files?
If I conduct a keyword search on the entire physical drive is it not already searching unallocated space?
Yes a keyword search on the entire physical drive includes searching unallocated space.
Or does this search only apply to the headers of graphic files and video files?
That is "file carving" - attempting to recover files based on a file signature and footer.
The reason for searching just unallocated space would be to find keywords in files that could have been deleted.
There is no structure to unallocated space, so you may find remains of files that have been deleted, or moved when defragmenting. It could also have data from a previous use of the disk. If keywords are only found in unallocated space, it may suggest that files have been removed.
You also need to be aware of slack space in both clusters are NTFS directories.
There are also good reasons for separate searches of allocated/unallocated. First, the parameters of an order might restrict you from searching unallocated space, although hopefully that is not the case. Next, you may do separate searches in the interest of efficiency. In this case, you may want to look at allocated files first, especially if the unallocated space is significantly large. I like to think of this approach as targeted forensics….get to the low-hanging fruit first. If you have good reason to believe the pertinent artifacts are deleted, you could also go directly to unallocated first. However, if you have the flexibility/time, you can always do one search of everything….its just going to tie down some resources for a bit.
The extraction of data from unallocated should be done in slices. By that I mean if your looking for word docs, pictures and other data, I strongly recommend doing the carve for each of the file types separate from each other.
Also, make sure the client or the direction is clear as to what you are investigating. Encase does a good job at carving data.
When you do a text search in unallocated space, keep in mind that many file formats translate, compress or encrypt the data which prevents it from being detected in a text search. Unicode should also be used along with ASCII search strings.
If your simple text search doesn't turn up anything, I recommend carving the files and searching them with more intelligent tools that handle the pertinent file types.
Update- it looks like EnCase 8.08 can get the job done because I keyword searched the unallocated space, and indexed the partition image, and I am finding logs from the time in question.
I was also able to identify the evil logins ).