Western Digital hard drive forensic examinationSectors are the smallest containers computers will use to store data. Your operating system will group sectors together into clusters, which helps speed up the read and write process. Each sector holds up to 512 kilobytes of data.

When the operating system saves a file to the hard drive, it will mark the entire cluster as used, or allocated, even if the file being saved is less than the size of one sector. The difference between the allocated space and the space the files actually takes up is called slack space.

Think of a sector like using a 4-gallon bucket to store liquids:

10 ounces of water + 60 ounces of motor oil + 58 ounces of milk = 1 gallon of liquid

However, you probably wouldn’t want to store them all in the same container. In order to keep them from contaminating one another you need to use 12 gallons of total storage space.

Those 11 extra gallons of space are allocated to the liquids the buckets are holding, even though there is only a fraction of storage space being used by each.

In order to recover a deleted file, computer forensics examiners need to have an understanding of how hard drives arrange data.


