Unallocated Space

I think the terms can often mean the same, ie areas of the disk that are not part of the current file system.

There is also what is often called Slack space. This is the area between the end of the file and the end of the cluster. On NTFS disks, the cluster size is normally 4K bytes, so on average there may be 2K of slack space at the end of each file.

Slack space can also occur in NTFS directories that have a typical size of 0x400 bytes. The directory part of the entry may only be 25-50% of the 0x400 bytes, so this area can be used for small files. (There was a recent forum question discussing the size of the area). If this small file grows, the area then becomes slack space again, but may still have old data in it.

The only file system I am aware of without any slack space is Reiser, all other systems have some element of slack.

It's been a long time since I used encase in anger.

But isn't unallocated space - currently unallocated clusters and unused space that space that is not part of a file system (space between partitions, deleted partitions etc.)

Unallocated clusters are inside the volume which are not currently in use/allocated
And unused space are sectors not currently allocated to any partition

… remnants of of evidence located in unallocated and also in Unused space. Can anyone kindly explainm to me technically what the diffrence beween the 2 is.

Computer forensics is unfortunately not at a level where terminology has been fixed, and is unchangeable. Nor is there necessarily consistency in how a particular software developer (Guidance in this case) uses terms they may and often do vary. Nor is there any guarantee that the intention matches the fact there are and will be bugs.

If no EnCase expert is found in this forum, take your problem to Guidance.

Next, and possibly also, create a test image, with complexity (in terms of partitions and volumes) similar to what you have, and simply add 'evidence' and delete it. Then, fire up a hex editor and plant additional 'evidence' in additional locations unused file space, unused space in boot records, past the end of a volume, but still inside a partition, etc. etc.

Next, repeat the evidence finding process (perhaps a search for 'MYEVIDENCE<digit><digit><digit>', and see where it is located.

That would give you considerably better platform after that kind of test you don't need to rely entirely on the word by someone who may be guessing or may be phrasing an answer poorly. Instead, you have your own test results that you (presumably) feel confident enough to rely on.

And from this suggestion you may be able to conclude that Computer Forensics doesn't even have a test image with pre-planted strings in order to test out the problem you have identified. (As far as I know, anyway…)

Keep notes. You may find that you want to repeat the test with additional test points or alternative complexity or whatever.

Well, at least we tried (failing miserably BTW ( ) for "slack" see here
https://www.forensicfocus.com/Forums/viewtopic/t=9374/

The topic has been abandoned without general consensus having been established on the definitions/terminology (that would be handy to use also in your case of "unallocated" vs. "unused")
https://www.forensicfocus.com/Forums/viewtopic/t=9374/postdays=0/postorder=asc/start=42/

But maybe it can still help to form your own "mental map" of the problem(s).

In my mental map unallocated is inside the filesystem, unused is outside it.
Please note how it is possible that something is outside the filesystem/volume but inside the partition.

jaclaz

Thankyou so much. Your insights have been very helpful.

EnCase defines unallocated clusters as inside the volume and not currently allocated to a given entry.
The unused disk area are sectors that sit outside of any allocated partition.
EnCase also has volume slack, these are sectors that are part of the partition but can not form a complete cluster hence EnCase shows these inside the partition.