Unallocated space refers to the portion of a hard drive that people can use to save new files. It is also aptly known as “free space” since it can be freely used to store any type of data. On the other hand, the area on a hard drive already containing files is called “allocated space.”
Unallocated space is simple enough to understand, as it is similar to the empty seats on a bus. Those still unoccupied represent a hard drive’s unallocated space, while the seats that have people sitting on them comprise allocated space. When a passenger gets off the bus, the allocated space he/she occupied becomes unallocated, and another person can take his/her seat.
Free space plays a vital role in cybercriminal investigations since it can still hold part or all of the data of a deleted file that can serve as evidence. As much as possible, lawyers and investigators would want to recover and preserve any data stored in the unallocated space to support their cases.
Other interesting terms…
Read More about “Unallocated Space”
What unallocated space is in digital forensics is different from the “unallocated space” described in a computer’s Disk Management (as shown in the screenshot below). In computers, unallocated space means that the space does not belong to any partition and, therefore, no program can write to that space.
What Is the Difference between Allocated and Unallocated Space?
Allocated space is the area of a hard drive that already has files stored in it, while unallocated space refers to the free space on the drive where anyone can save files. However, unallocated space does not necessarily mean “empty.” How does this happen?
When a person deletes a file, it is not really erased from the hard drive. Instead, the space is merely labeled “unallocated and available for other files.” The deleted file’s data is still there, although it can be overwritten by new data when the space is reused.
Why Is Unallocated Space Useful in Investigations?
Consider a scenario where a person rides a bus right after committing a crime. Even when the suspect gets off at the next station, investigators may still be able to obtain evidence from his/her seat if they arrive just in time. There could be a smear of blood, drops of sweat, and other items that investigators may find helpful.
But what happens when someone else takes the suspect’s seat after he/she gets off? The evidence left by the suspect could be contaminated. Worse, there is a high possibility that they would be erased—-the next passengers could wipe off the blood and sweat left by the suspect.
The same concept applies to what free space is. Free space can still hold recoverable data even when an incriminating file is deleted. Investigators can still recover part or all of the files at this point. However, when the space occupied by the deleted file gets reused and overwritten, the stored data gets wiped off, too.
What Data Can Unallocated Space Store?
A hard drive’s free space can hold any data that can be useful in several cases. Examples of the data it can store include:
- Emails
- Chat or instant-messaging conversations
- Documents
- Internet browsing history
- System logs
- Images
- Videos
While the complete file or information may not be retrieved, fragments can still be viewed and recovered if the unallocated space isn’t overwritten. However, a regular computer user cannot do this. Forensic investigators use specialized forensic software to retrieve data from free space.
For example, an investigator can retrieve emails exchanged between a former employee and a competitor, proving corporate espionage and theft of company data. However, that is only possible if the unallocated space remained untouched even after the employee left the company. If a new employee started using his/her computer, it is possible for the free space containing critical evidence to be reused and overwritten with new data.
—
When we delete a file, an email, or a conversation on an instant-messaging platform, most of us are under the impression that the data is completely erased. But now that we know what unallocated space is, we know that it is still possible for someone else to recover the deleted information.
