32 Locating Your Sensitive Data in Your Computer
STM is more sensitive and may damage the surface of the disk being investigated. According to Gutman, “There [were—as of 1996], from manu-facturers sales figures, several thousand SPM’s in use in the field, some of which have special features for analyzing disk drive platters, such as the vac-uum chucks for standard disk drive platters along with specialized modes of operation for magnetic media analysis. These SPM’s can be used with sophisticated programmable controllers and analysis software to allow auto-mation of the data recovery process. If commercially-available SPMs are considered too expensive, it is possible to build a reasonably capable SPM for about US$1,400, using a PC as a controller.” There is also a new patent on Magnetic Disk Erasers in Japan (see http://www.research.ibm.com/jour-nal/rd/445/patents.html).”
From the attacker’s perspective, an assessment is likely to be made as to the possibility of using any less expensive, alternate ways of obtaining the same data, such as those discussed in Sections 4.1 through 4.9.
To understand where and why, some minimal technical background needs to be presented first.
2.2.1 Cluster tips or slack
Windows will never write less than one cluster-full of data onto a cluster; if it only needs to write half of the cluster, it will mark where the file ends (a.k.a. the end-of-file mark). If the cluster is relatively small, the computer will usually fill out the rest of the cluster with whatever data happens to be floating about in portions of the computer’s electronic mem-ory [a.k.a. random access memory (RAM)]. The security nightmare that results is obvious: Passwords that were manually typed and went to RAM, never intended to be immortalized for posterity one one’s disk, may well end up in this “dead space” between the end-of-file and end-of-cluster marks and stay there for the benefit of whoever can retrieve that information.
If the space between the end of file and the end of the cluster is substan-tial, the computer will usually not bother to write anything in that space, allowing whatever had been written there before to survive—again to the delight of the forensic investigator.
(If it were, then the many undelete commands would not work.)
The portion of the disk that records which file is where merely makes a note of the fact that this particular file is no longer desired and that the space it occupies on the disk can be used in the future by other files if necessary.