SANS Digital Forensics and Incident Response Blog

Dates from Unallocated Space

By John McCash

A recent podcast I listened to (Forensic 4cast - Well worth the time to listen to it) made a statement which I took as an implication that files recovered from unallocated space were useless in most investigations because they lacked the filesystem metadata, specifically the MAC times. While it's true that the lack of this data can be a significant handicap, I disagreed rather strongly with that, and my disagreement forms the basis for this blog entry. I did follow up with Lee (Hi Lee!) at Forensic 4cast, and such a blanket implication was unintentional. Nonetheless, I think it worthwhile to enumerate for the community a number of points to consider when sieving through unallocated space.

Dates in particular, as well as other file metadata, can be extracted from many file types. Additionally, often filesystem metadata is copied into an archive or stored redundantly in ways that allow it to be retrieved from files carved out of unallocated space. The following bullets represent a small sampling of places and methods from/by which this sort of information can be retrieved. Note, however, that some of the entries are Windows specific.

  • Application Metadata - Many standard file types (JPG, PDF, & DOC, just to name a few) include a wide variety of metadata elements. Exiftool is a good general purpose tool for retrieving many of these, and I mention several more in my previous posting on Windows Viewers & Information Extractors for various File Types
  • Thumbs.db - This is a Windows database that's used to maintain a thumbnail view of graphic files located in the folder where it's found. It will often still contain thumbnail views of files which have since been deleted. If you carve this file out of unallocated space and extract its contents with a tool such as Encase or Vinetto, you will obtain the most recent last written date for each file who's thumbnail is included, from the time when the thumbnail was generated. (Note however, that these times are rounded up to the nearest even second.) This information is also included in the Catalog file which is included in the thumbs.db file. It's a Windows GMT time encoded in the 8 bytes preceding the (Unicode) filename.
  • File Archives - Zip, Tar, rar, etc., archive types typically store MACtime (or at least last write time) information for the included files at the time they were archived. The 7zip Windows archive browser is one good utility for examining many archive formats.
  • Unallocated MFT (Windows NTFS Master File Table) Entries - While normally, MFT entries don't become unallocated, because the MFT never spontaneously shrinks, there are circumstances where this can happen. For instance; If a disk is defragmented, and MFT entries are moved to new locations, but the old locations are not subsequently overwritten. These entries can be carved out of unallocated space and parsed to reveal all filesystem metadata, including the filename and the block locations of the file contents which may or may not still be intact.
  • Timestamped log file entries - Many applications generate logs (binary or plaintext) in the normal course of their operation. Most such log entries are timestamped, and are formatted in such a way that their entries may be easily parsed out of unallocated space. Apache webserver logs, in particular, can provide valuable case evidence long after they've been deleted. In one case I recently worked, I pulled an Apache log entry out of unallocated space which identified a probable initial compromise over three years previous!
  • Databases, or other file types with well-defined record formats - This is really just a more general case of some of the specific examples above. Such records quite often include fields with time/date information.

As always, you're welcome to leave commentary if you liked this article or want to call me on the carpet for some inaccuracy.

John McCash, GCFA Silver #2816, is currently a Forensic Investigator employed by a fortune 500 telecommunications equipment provider.