5.4 Deleting data from an HDD
“What happens when a file is deleted from a hard disk?” asked Rupert.
“When a file is deleted, the operating system doesn’t erase the file; it simply makes the clusters that the file occupies available for reallocation. So the data is still there until it is overwritten, but there is no reference to it in the file allocation table, and the file is said to be dereferenced. However, the operating system at some point might allocate a new file to one of those clusters, which overwrites the original data.”
Gloria paused while the implications of this dawned on Rupert.
“So even if a file has been deleted, the data might still be right there on the hard disk if it hasn’t been overwritten yet?” he said, barely containing his excitement.
Gloria smiled. “Yes – but it is even better than that,” she said.
“As we have seen, the cluster system means that there is almost always some unused space in the last cluster when a file is stored. The amount of unused space depends on the cluster size and the file size. The logical size of a file is a measure of the number of bytes of data a file actually contains. Its physical size is almost always bigger than this because it has to be stored in a discrete number of clusters.
“So, for example, take a file that has a logical size of 1280 bytes. In a system where there are four sectors of 512 bytes in a cluster, the file takes up a whole cluster (or 2048 bytes), which means that the physical size of the file is 2048 bytes. The difference between 2048 and 1280 is 768, which means that there is a slack space of 768 bytes” (Figure 18).
“After a file is deleted, if the newly allocated file does not occupy the whole of the cluster or clusters, the data in the slack space is not overwritten. And if the deleted file was larger than the newly allocated file, there will be bits of the old file still intact, although not visible to the file system. So data in the slack space might well come from files considerably older than the deleted file.
“This leftover data, which is called latent data or ambient data, can provide investigators with clues as to what was originally stored in the whole cluster, which may in turn provide leads for other enquiries. In 2016, for example, the Federal Bureau of Investigation (FBI) revealed that it had reviewed millions of email fragments that resided in the slack space of the memory of the personal servers of former Secretary of State Hillary Clinton, in order to determine whether or not she had improperly stored or transmitted classified information.”
Activity 13 (self-assessment) The difference between unallocated space and slack space
Rupert was tired at this point, so he did not quite take in the difference between unallocated space and slack space. Help him out by writing down a couple of sentences to explain it to him.
Unallocated space is free space on a hard drive that can be used to store data. It is a discrete number of clusters. Slack space is the unused space between the end of the actual file and the end of the cluster.