Unallocated vs Free Space

That doesn't make sense. This data, by its nature, doesn't belong to a current file system (it was created before the format), but it's listed as allocated (and as active file data) by that file system.

A test image is here https://github.com/msuhanov/ntfs-samples/blob/master/ntfs-ptrn.raw.gz

Check the following data streams of the "/$Extend/$RmMetadata/$Repair" file "$Corrupt" and "$Verify".

This image was filled with the "PTRN" byte pattern prior to the formatting.

I still don't understand, you seemingly intentionally made a filesystem "hiding" some data (this is steganography).

The file "$Corrupt" is 2097152 bytes in size and occupies a single contiguous extent starting on cluster #38 up to cluster 549 included (550-38)=512*4096=2097152
The file "$Verify" is 307200 bytes in size and occupies a single contiguous extent starting on cluster #550 up to cluster 624 included (625-550)=75*4096=307200

In LBA sectors, that is LBA 432 to 4528 and 4528 to 5128.

The extent from LBA 432 to 4528 is allocated to file "$Corrupt".
The extent from LBA 4528 to 5128 is allocated to file "$Verify".

Both are allocated (and thus not unallocated).

Both are allocated (and thus not free space).

Both contain (not everywhere but in spots) sectors with the pattern "PTRN".

Again, what gives? 😯

If you are saying that it is possible that currently allocated extents may contain remains of previous filesystems or even possibly "deleted data", that is perfectly fine ) , maybe a "better" example could be a particular case of use of the hibernation, see here
https://www.forensicfocus.com/Forums/viewtopic/p=6595349/

still I see nothing connected to unallocated or free space.

jaclaz

you seemingly intentionally made a filesystem "hiding" some data (this is steganography).

No, I just formatted a virtual drive.

Both contain (not everywhere but in spots) sectors with the pattern "PTRN".

Which is actually unallocated data (aka free space) by its origin! It _was_ claimed by a file system, but this file system is no longer there. A current file system has nothing to do with this data (unless it's overwritten), except that it marked these sectors as belonging to allocated clusters.

From a practical point of view, this remnant data wouldn't be extracted as unallocated by common tools (like blkls). But it can contain a smoking gun.

From a practical point of view, this remnant data wouldn't be extracted as unallocated by common tools (like blkls). But it can contain a smoking gun.

Sure ) , as the extent is NOT unallocated, but rather allocated (at the current filesystem).

A sector-level carver would find its contents allright, an unallocated one won't as it is NOT unallocated.

But before being unallocated (in the previous filesystem) the extent must have been allocated (still in the previous filesystem) in order to have (meaningful/relevant) data in it.

So it would be meaningful to call those re-allocated or ex-allocated extents, but they are anyway subsets of the (currently) allocated.

jaclaz