With most disk operating systems there are areas of the disk that are not normally read by the file system, but at times they do contain useful information, in particular as part of a forensic investigation

The two main areas often investigated are Unallocated Space, and Slack Space.

Unallocated space is fairly obvious, in that it is spare space on the disk that could be used for files. The interest in the space, is that it is also space that could have been used for files that have since been deleted, or left over from a previous incarnation of the disk.

Slack space is slightly more complex. An operating system always works in fixed chunks of data, often called clusters. This may be a single sector, but often is a series of sectors, and many typical clusters can be 4K, or up to 64K in length. When a file is written, space can only be allocated in clusters, so there is normally spare space at the end of a file in the final cluster. As an example, if the cluster size is 32K, and a file 41K is written, then 64K of space will be allocated to the file. 41K will be data, and 23K will be slack space. The contents of the slack space are not defined, but may often include previous data that was on the disk before the file was written. 

NTFS disks have an additional twist to slack space. Short files can be stored within the 1K directory entry, and so it is possible to have space at the end of a directory entry that may contain previous short files, or partially overwritten files. CW can recover this data for later forensic style examination if required.

When doing disk recoveries, CnW can optionally save the slack space as individual files. In a similar way, unallocated space can also be saved, and attempts are made to define the type of data found in the unallocated space. Thus an old picture may be saved with a .jpg extension if the start of the file conforms with a JPG file

CnW Recovery Lewes East Sussex UK