Join Us!

Searching Unallocat...
 
Notifications
Clear all

Searching Unallocated Space in EnCase  

  RSS
Dndschultz
(@dndschultz)
New Member

I am very new to EnCase and am still a bit confused about searching unallocated space. I understand the concept that the clusters allocated to the file are released by the operating system and that some data may still be there. However, I do not understand why you need to conduct a separate search in unallocated space. If I conduct a keyword search on the entire physical drive is it not already searching unallocated space? Or does this search only apply to the headers of graphic files and video files?

Quote
Posted : 14/04/2011 7:05 am
miket065
(@miket065)
Active Member

If I conduct a keyword search on the entire physical drive is it not already searching unallocated space?

Yes a keyword search on the entire physical drive includes searching unallocated space.

Or does this search only apply to the headers of graphic files and video files?

That is "file carving" - attempting to recover files based on a file signature and footer.

ReplyQuote
Posted : 14/04/2011 8:08 am
mscotgrove
(@mscotgrove)
Senior Member

The reason for searching just unallocated space would be to find keywords in files that could have been deleted.

There is no structure to unallocated space, so you may find remains of files that have been deleted, or moved when defragmenting. It could also have data from a previous use of the disk. If keywords are only found in unallocated space, it may suggest that files have been removed.

You also need to be aware of slack space in both clusters are NTFS directories.

ReplyQuote
Posted : 14/04/2011 3:57 pm
mjantal
(@mjantal)
Junior Member

There are also good reasons for separate searches of allocated/unallocated. First, the parameters of an order might restrict you from searching unallocated space, although hopefully that is not the case. Next, you may do separate searches in the interest of efficiency. In this case, you may want to look at allocated files first, especially if the unallocated space is significantly large. I like to think of this approach as targeted forensics….get to the low-hanging fruit first. If you have good reason to believe the pertinent artifacts are deleted, you could also go directly to unallocated first. However, if you have the flexibility/time, you can always do one search of everything….its just going to tie down some resources for a bit.

ReplyQuote
Posted : 14/04/2011 8:23 pm
mtbinva
(@mtbinva)
New Member

The extraction of data from unallocated should be done in slices. By that I mean if your looking for word docs, pictures and other data, I strongly recommend doing the carve for each of the file types separate from each other.

Also, make sure the client or the direction is clear as to what you are investigating. Encase does a good job at carving data.

ReplyQuote
Posted : 15/04/2011 11:03 pm
ForensicRob
(@forensicrob)
Junior Member

When you do a text search in unallocated space, keep in mind that many file formats translate, compress or encrypt the data which prevents it from being detected in a text search. Unicode should also be used along with ASCII search strings.

If your simple text search doesn't turn up anything, I recommend carving the files and searching them with more intelligent tools that handle the pertinent file types.

ReplyQuote
Posted : 13/05/2011 7:56 pm
honor_the_data
(@honor_the_data)
New Member

Update- it looks like EnCase 8.08 can get the job done because I keyword searched the unallocated space, and indexed the partition image, and I am finding logs from the time in question.

I was also able to identify the evil logins ).

ReplyQuote
Posted : 21/03/2019 1:22 pm
Share: