The main aim of this paper is to explain the various methods through which data is stored in a Microsoft Windows environment. The special focus is on slack space, unallocated space, the sequence of events that take place when a file is deleted, and how computer forensics experts can use this knowledge to assist in data recovery and computer forensics to benefit computer users. Computers are electronic devices used to store, manipulate and process data. Computers have evolved into machines that were once huge machines occupying big rooms. Today, computers have become small gadgets that can fit in an envelope the most common is a laptop. Nowadays, people around the world use computers for communication, learning, planning, and entertainments (Steen & Hassell, 2004). Because of this, computers carry crucial information, that can be used as evidence in a court of law, even if the information is not directly related to computers. The evidence from computers ranges from the e-mail, photographs, or even private documents. The advances made in computer technology have enabled data to be retrieved from these machines even if someone has already erased, or even formatted the drive which contained the data. Microsoft Windows are software programs developed to perform various functions.
Computers are designed to store data and very important information generated by computer users. Computers come with software and hardware for performing these functions. Softwares are the brain of computers. They are installed in computers for data processing. Microsoft Company has designed softwares for a specific function like computing. Microsoft Windows office Word 2007, Access, Powerpoint, Excel, Publisher, Infopath and Outlook are examples of the software programmes developed for computer users. The hardware part of computers are the disk drives for data storage. The most commonly being the hard disks, compact disks and floppy disks. Mircosoft programes store infrormation about the state of documents stored in computers or retrieved from computers. This metadata, serves as a reference point for other periphery devices that were connected to the computer prior to the loss of data or any other work perfomed by the computer (Steen & Hassell, 2004).
Computer forensics refers to the investigation of computer information with the aim of uncovering and scrutinzing erased, available, or hidden information that can be used as evidence for litigation or in court of law (Steen & Hassell, 2004). Computer forensics is very important with respect to this investgation. Mostly it is used to unearth potential evidence in various kinds of cases including, for instance: sexual assault, theft of intellectual property, unauthorized access to private and confidential information, blackmail, corruption, decryption, destroying information, copyright violation, Industrial cases, money laundering, pirating copies of music, fraud cases, unlawful duplication of software, unwarranted use of a computer, and child pornography (Steen & Hassell, 2004). Computer forensics utilizes various techniques with the help of complex software to see and check information that cannot be accessed by the normal user. This information may have been erased by the user weeks or even years before the investigation, or may never have been stored to start with – but it may still be in existence as a whole or in part on the computer’s drive. It is very important that the attorney, the client affected to get a forensics expert who can provide meangful insight in all the steps of building a case, involving the following; checking if the computer in question contains information related to the case, helping to prepare and respond to interrogatories, to retrieve and examine the information that can be accessed by the help of forensics programs and methods, generating court reports and lastly to plan and provide expert testimony (Steen & Hassell, 2004).
Slack space refers to the data storage space that exists from the end of the file to the end of the last cluster allocated (Bell, 2005). Computer files are created in various lengths based on the contents stored on them. The storage segments of Microsoft Windows programs is what is known as clusters. In other words, clusters is a collection of sectors which are useful in allocating the data storage location in all Microsoft Windows programs (Bell, 2005). The type of the operating system and the logical storage volume has profound effect on the sizes of clusters. They range from low density 5.25 inch floppy diskette of 2 sectors to 2048MB – 4095 Megabytes logical hard drive partition of 128 sectors. These file sizes do not match the size of one or more clusters in a perfect way (Bell, 2005).. Huge sizes of clusters is an indicator of more file slack and it takes up more storage space in Windows systems in question. On the other hand, this computer security limitaion provides a loophole for a computer forensics expert to get a reasonable source of evidence and directions. Failure of the data stored in the file to fill the sector , triggers Windows establish barrier for the space left in the memory of system (Bell, 2005). The memory that is randomly picked from the data is called RAM Slack. It derives its name from the memory of the computer. RAM Slack stores all the information about all the operations done on the computer prior to any investigations on the computer in question. This information is useful to a forensic investigator. This information is stored in the file sack of the computer (Bell, 2005). RAM slack is about the last sector of a file. In case more sectors are required to fill the block size for the last cluster allocated to the file, then a another kind of slack is made. This slack created is known as drive slack. The difference between RAM slack, and , drive slack is that the former emanate drom the memory of the computer while the latter contains what was previously saved on the storage device (Bell, 2005). This data could contain the remaining files of the prior erased files or data from the format pattern related with the on the storage disk. When a file is stored on the disk, a file slack is established. On the other hand, in case a file is erased in any of the Windows environment, the information that pertains to RAM slack and drive slack will remain in the cluster that was previously allocated to the end of the erased file (Bell, 2005). Understanding concepts about file slack is very important in computer related investigations. File slack stores data maliciously fragmented from the computer. It also contains crucial data like previous, E-mails, passwords and other sensitive data (Bell, 2005).. This data can help computer forensics experts in conducting their investigations for computer related crimes.
When files are erased or deleted in microsft windows, either by mistake or by malicious intentions, the information stored on the file is not completly lost. This can only happen in cases where specific software are used. Unallocated storage space is the place where all any deleted or erased file remains (Bell, 2005). The same aplies to file slack that may have been attached to the file prior to deletion. This data that remains can be discoverd by the use of sosphiticated data recovery tolls and software utilities in computer forensics. Unallocated file space and file slack provides critical source of information for any computer forensics examiner. Hard disk drives in computers are the major storage devices. The data stored on these disks can be retrieved by the use of sophisticated computer forensic softwares (Bell, 2005). Computer forensics evidence is beneficial to Attorneys, because it make him to win or lose the case. Computer forensics based evidnces can prove to be the last resort in the event witnesses forget the facts as they unfolded (Bell, 2005).
In summary, computers are devices that have contributed to making the modern day life activities to be done quickly, efficient and faster. Communication is faster using computers, manipulation of data is efficient as well as processing the same. Computers have also enhanced the way we store data. Computers are designed and installed with programmes for processing and storage of data. Microsoft Windows are software programmes created to perform various functions. Computer hard disks drives are used for data storage. However, they have come with other complicated crimes that require a deep understanding of how computers stores data. Computer forensics can be used in investigating situations of crimes in computers especially relating to information deleted or erased from computers. Therefore, Computer forensics experts need to understand how data or information is stored in computers (Bell, 2005).
In a nutshel, Slack space and unallocated space are the most important areas where deleted or erased data or files can be found. Therefore, file slack provides useful information in computer forensics. Computer forensics proffessionals can use their tools in discovering information that contains details about what took place on the computer, such as Web Sites that were visited by the user, e-mails sent and received, Internet transactions that were made, and photographs that were made using the device, documents that were modified or accessed. whether the data was stored on the computer drives or not, this information can be recoverd, thanks to computer forensics technology. this has been made possible because the engine for accessing the Web sites keepts track of all the sites visited by the computer user.
Bell, C. (2005). The world leader in computer forensics. Web.
Steen, S. & Hassell, J. (2004). Computer Forensics 101; Electronic Evidence Retrieval, LLC. Web.