SANS Digital Forensics and Incident Response Blog: Tag - unallocated space

Dates from Unallocated Space

By John McCash

A recent podcast I listened to (Forensic 4cast - Well worth the time to listen to it) made a statement which I took as an implication that files recovered from unallocated space were useless in most investigations because they lacked the filesystem metadata, specifically the MAC times. While it's true that the lack of this data can be a significant handicap, I disagreed rather strongly with that, and my disagreement forms the basis for this blog entry. I did follow up with Lee (Hi Lee!) at Forensic 4cast, and such a blanket implication was unintentional. Nonetheless, I think it worthwhile to enumerate for the community a number of points to consider when sieving through unallocated space.

Dates in particular, as well as other file metadata, can be extracted from many file types. Additionally, often filesystem

...