SLACK SPACE
Slack Space is the space that was used by the file, but the space is used, is not spent entirely for storing data.
Slack space refers to portions of a hard drive that are not fully
used by the current allocated file and which may contain data from a
previously deleted file.
Illustration of slack space on a hard drive
UNALLOCATED SPACE
Unallocated space is simply defined as the area or space on the hard drive of the computer that is available to write data to.
Clusters of a media partition not in use for storing any active files. They may contain pieces of files that were deleted from the file partition but not removed from the physical disk
The unallocated space is not viewable to the typical computer user and
requires specialized computer forensic software to view and analyze.
Unallocated space can contain deleted files or partially deleted files.
When a file is deleted, the pointers to the file are removed, but the
data remains in unallocated space until such time as the operating
system stores another file in the same space, thereby over-writing the
data.
Example :
If the operating system writes a file to a certain space on the hard
drive that part of the drive is now “allocated”, as the file is using it
the space, and no other files can be written to that section. If that
file is deleted then that part of the hard drive is no longer required
to be “allocated” it becomes unallocated. This means that new files can
now be re-written to that location.On a standard, working computer, files can only be written to the unallocated space.
If a newly formatted drive is connected to a computer, virtually all of the drive space is unallocated space (a small amount of space will be taken up by files within the file system, e.g $MFT, etc). On a new drive the unallocated space is normally zeros, as files are written to the hard drive the zeros are over written with the file data
MAGIC NUMBER
Magic numbers are common in programs across many operating
systems. Magic numbers implement strongly typed data and are a form of
in-band signaling
to the controlling program that reads the data type(s) at program
run-time. Many files have such constants that identify the contained
data. Detecting such constants in files is a simple and effective way of
distinguishing between many file formats and can yield further run-time
information.
Magic Number Chart
Here are a few magic numbers, These are of
image files.
File type
|
Typical
extension |
Hex digits
xx = variable |
Ascii digits
. = not an ascii char |
Bitmap format
|
.bmp
|
42 4d
|
BM
|
Office2007 Documents
|
.xlsx
|
50 4B 03 04 14 00
06 00
|
PK
|
GIF Format
|
.gif
|
47 49 46 38
|
GIF8
|
MP3
|
.mp3
|
49 44 33
|
ID3
|
PDF
|
.PDF
|
25 50 44 46
|
%PDF
|
JPEG File Interchange
Format
|
.jpg
|
ff d8 ff e0
|
....
|
NIFF (Navy TIFF)
|
.nif
|
49 49 4e 31
|
IIN1
|
PM format
|
.pm
|
56 49 45 57
|
VIEW
|
PNG format
|
.png
|
89 50 4e 47
|
.PNG
|
Postscript format
|
.[e]ps
|
25 21
|
%!
|
Sun Rasterfile
|
.ras
|
59 a6 6a 95
|
Y.j.
|
Targa format
|
.tga
|
xx xx xx
|
...
|
TIFF format (Motorola
- big endian)
|
.tif
|
4d 4d 00 2a
|
MM.*
|
TIFF format (Intel -
little endian)
|
.tif
|
49 49 2a 00
|
II*.
|
X11 Bitmap format
|
.xbm
|
xx xx
|
|
XCF Gimp file
structure
|
.xcf
|
67 69 6d 70 20 78 63
66 20 76
|
gimp xcf
|
Xfig format
|
.fig
|
23 46 49 47
|
#FIG
|
Tidak ada komentar:
Posting Komentar