Fortunately for the forensics investigator, most users aren't very good at covering their tracks. Ignorance of how computers manage memory and disks results in incriminating file or memory content stored in various locations invisible to the subject of an investigation. In this post, we'll look at three potential locations for this information — deleted files and slack space, swap space, and hibernation files.Deleted files and slack space When an operating system writes a file to disk, it allocates a certain number of sectors. The number of sectors allocated depends on the limitations of the operating system and configuration decisions made by the system administrator. The sectors allocated and their location on the disk are recorded in a directory table for later access. When the file is deleted, the space originally allocated to it is simply marked as unallocated. The actual data remains on the disk. Deleted files in this state are easily recoverable by many disk utilities, but what happens if a new file is written to this same space? Figure A shows what might happen to the original data.
At some point in the past, File A was written to sectors 1 and 2. The sectors were completely filled by the file's content. When the user decides to delete the file, the sectors are marked as unallocated. However, the file content remains.
Sometime after File A is deleted, the user requests the OS to save File B. The OS once again allocates sectors 1 and 2, but notice that the file content doesn't completely fill sector 2. The unwritten portion of sector 2 is known as slack space, and it still contains content from File A. Slack space data can be read and analyzed by any of the popular forensics toolkits.Swap space
Both Linux and Microsoft Windows systems expand RAM by using disk. In this virtual memory model, the OS moves data in memory to a special location on disk in order to free RAM for additional operations. When the data on disk is needed again, it's moved back into RAM. The area on disk used for this purpose is called the swap file or swap space. In Linux environments, the swap area is an actual disk partition. On a Windows XP machine, the swap space is a file called Pagefile.sys.
Since everything in RAM is subject to being swapped to disk, some very interesting information can be found in a swap file. In addition to plain-text data that might be encrypted in a disk file, encryption keys might also be present. This is due to weaknesses in some applications that allow unencrypted keys to reside in memory. Further, information contained in e-mails or stored at remote locations might still reside in swap space. Any standard disk maintenance utility can access this information.Hibernation files
Hibernation files are created when a system goes into sleep or hibernation mode. For example, a laptop running Windows XP writes the entire contents of RAM to a file when going into hibernation. Like swap space, hibernation files can contain a wealth of information not found anywhere else on the target system. The contents of a hibernation file can be accessed by a number of disk maintenance utilities.
A target disk is usually full of useful information. An investigator just needs to know where to look and how to employ the proper tools and techniques for extracting it.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.