±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 35520
New Yesterday: 6 Visitors: 164

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Searching Unallocated Space in EnCase

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Dndschultz
Member
 

Searching Unallocated Space in EnCase

Post Posted: Apr 14, 11 06:05

I am very new to EnCase and am still a bit confused about searching unallocated space. I understand the concept that the clusters allocated to the file are released by the operating system and that some data may still be there. However, I do not understand why you need to conduct a separate search in unallocated space. If I conduct a keyword search on the entire physical drive is it not already searching unallocated space? Or does this search only apply to the headers of graphic files and video files?  
 
  

miket065
Senior Member
 

Re: Searching Unallocated Space in EnCase

Post Posted: Apr 14, 11 07:08

- Dndschultz
If I conduct a keyword search on the entire physical drive is it not already searching unallocated space?


Yes a keyword search on the entire physical drive includes searching unallocated space.

- Dndschultz
Or does this search only apply to the headers of graphic files and video files?


That is "file carving" - attempting to recover files based on a file signature and footer.
_________________
Some things you just can't "unsee". 
 
  

mscotgrove
Senior Member
 

Re: Searching Unallocated Space in EnCase

Post Posted: Apr 14, 11 14:57

The reason for searching just unallocated space would be to find keywords in files that could have been deleted.

There is no structure to unallocated space, so you may find remains of files that have been deleted, or moved when defragmenting. It could also have data from a previous use of the disk. If keywords are only found in unallocated space, it may suggest that files have been removed.

You also need to be aware of slack space in both clusters are NTFS directories.
_________________
Michael Cotgrove
www.cnwrecovery.com
www.goprorecovery.co.uk 
 
  

mjantal
Member
 

Re: Searching Unallocated Space in EnCase

Post Posted: Apr 14, 11 19:23

There are also good reasons for separate searches of allocated/unallocated. First, the parameters of an order might restrict you from searching unallocated space, although hopefully that is not the case. Next, you may do separate searches in the interest of efficiency. In this case, you may want to look at allocated files first, especially if the unallocated space is significantly large. I like to think of this approach as targeted forensics....get to the low-hanging fruit first. If you have good reason to believe the pertinent artifacts are deleted, you could also go directly to unallocated first. However, if you have the flexibility/time, you can always do one search of everything....its just going to tie down some resources for a bit.  
 
  

mtbinva
Member
 

Re: Searching Unallocated Space in EnCase

Post Posted: Apr 15, 11 22:03

The extraction of data from unallocated should be done in slices. By that I mean if your looking for word docs, pictures and other data, I strongly recommend doing the carve for each of the file types separate from each other.

Also, make sure the client or the direction is clear as to what you are investigating. Encase does a good job at carving data.  
 
  

ForensicRob
Member
 

Re: Searching Unallocated Space in EnCase

Post Posted: May 13, 11 18:56

When you do a text search in unallocated space, keep in mind that many file formats translate, compress or encrypt the data which prevents it from being detected in a text search. Unicode should also be used along with ASCII search strings.

If your simple text search doesn't turn up anything, I recommend carving the files and searching them with more intelligent tools that handle the pertinent file types.
_________________
Rob Zirnstein
President
Forensic Innovations, Inc.
www.ForensicInnovations.com
Rob.Zirnstein @ ForensicInnovations.com 
 
  

honor_the_data
Newbie
 

Re: Searching Unallocated Space in EnCase

Post Posted: Mar 21, 19 14:22

Update- it looks like EnCase 8.08 can get the job done because I keyword searched the unallocated space, and indexed the partition image, and I am finding logs from the time in question.

I was also able to identify the evil logins :).  
 

Page 1 of 1