When files are stored on a computer, they are placed onto the hard drive, a key component for data storage. Whether saving a document, downloading a video, or installing software, the hard drive records and maintains this information for future use. However, many people don’t fully understand how files are organized, how space is managed, and how certain technical concepts like cache, allocated space, and unallocated space come into play.
In this blog post, we’ll explore these topics and I’ll provide a comprehensive description about file storage on a computer hard drive. This knowledge will be paramount when defending against computer crimes in the courtroom.
What is a Hard Drive?
Before diving into the details, let’s briefly cover what a hard drive is, and its basic function. A hard drive is a data storage device that uses magnetic storage to save and retrieve digital information. It consists of one or more platters (discs) where data is written and read by magnetic heads. Today, Solid-State Drives (SSDs) have become more common, which use flash memory for faster and more durable storage, but the principles of file management are similar.
How Does a Hard Drive Store Files?
When a file is saved on a hard drive, the file is broken down into smaller parts called “data blocks.” These blocks are stored in specific locations on the drive. The hard drive keeps a record of where these blocks are located so that it can retrieve the file when needed. This record is part of the drives file system, which organizes and tracts all the files on the drive.
The “Allocated” File Storage Area on a Hard Drive
“Allocated” hard drive file storage space refers to the portion of the hard drive that is actively in use for storing files. When a file is saved, the operating system allocates certain blocks of space on the drive to store the data. Each file has a specific location in allocated space, and the operating system keeps track of these locations using the file allocation tables (FAT) or similar structures, depending on the file system in use (e.g., NTFS, FAT32, exFAT).
Once space is allocated to a file, it cannot be used by other files until that file is deleted or moved. When a file is deleted, however, the space it occupied is not immediately cleared, it becomes part of the “unallocated space,” which I’ll discuss next.
The “Unallocated” File Storage Area on a Hard Drive
When a file is deleted from a computer, it isn’t actually erased (even if you don’t see it listed in a directory). Instead, the space it originally occupied on the hard drive becomes “unallocated” space. The file’s entry in the file allocation table is removed (that’s why you don’t see it listed in the directory), and the file system marks the space as being available for new data. However, the actual data (albeit not visible) remains on the drive until new files overwrite it.
Unallocated space is notably crucial to forensic data recovery because files that have been “deleted” can often still be retrieved if they haven’t been overwritten. This is why to permanently, and securely, erase data requires writing over unallocated space multiple times to ensure residual data (of the deleted files) can’t be recovered.
What is Cache?
Next, there is cache. Cache is a specialized form of storage designed to speed up access to frequently used data. While not exactly the same as a traditional file storage mechanism, cache plays a crucial role in how a computer manages files.
There are two main types of cache to be aware of:
- Disc Cache: This is a portion of the hard drive that is used to store recently or frequently accessed data. When a file gets opened, the system may store parts of that file in the disc cache to allow quicker access the next time you use it. Disc cache reduces the need to read the data from the hard drive repeatedly, which can be a slower process.
- Memory Cache (RAM Cache): This is another form of cache that resides in the computer’s Random Access Memory (RAM). It is even faster than disc cache because RAM is much faster than a hard drive. When you are working on a document or application, parts of it may be stored in the RAM cache to ensure faster response times.
Cache is temporary storage and is often automatically cleared or refreshed by the system. For example, when you restart your computer, much of the cache data will be removed, though some systems do retain certain cached data across sessions.
How Files are Deleted and Overwritten on a Hard Drive
Remember, when a file is deleted, the operating system does not immediately erase its content. Instead the system merely removes the file’s reference in the file system (i.e., the file’s “address”). The data remains in the unallocated space until new files are stored in those blocks.
If you continue to use the computer and save new files, the new data may eventually overwrite the old data in the unallocated space. However, until that happens, specialized forensic software can often recover the “deleted” file by scanning the hard drives unallocated space.
Some hard drives, especially SSDs, have a feature called TRIM that immediately clears the data when files are deleted, making forensic recovery more difficult. However, even with TRIM enabled, forensic techniques may still sometimes allow data recovery.
File Fragmentation and Defragmentation on a Hard Drive
Over time, as files are saved, deleted, and modified, parts of a single file may become scattered across various locations on the hard drive. This is known as fragmentation. When a file is fragmented, the system has to retrieve different parts of the file from multiple locations, which can slow down access times.
Defragmentation is the process of reorganizing the files on the hard drive so that the parts of each file are stored together. By consolidating the file fragments, defragmentation can improve the overall performance of the hard drive. Modern operating systems often include built-in tools for defragmenting traditional hard drives, though SSDs typically do not require defragmentation due to the nature of flash memory
The Role of File Systems for a Hard Drive
The computer’s file system plays a significant role in how data is stored, retrieved, and managed on the hard drive. Common file systems include NTFS (New Technology File System) for Windows, HFS+ (Hierarchical File System Plus) for Mac, and ext4 (Extended Filesystem 4) for Linux.
The file system organizes the hard drive’s allocated and unallocated space. It maintains the file allocation tables and manages how data is written, retrieved, and deleted. It also handles permissions and access controls, determining who can read, modify, or delete files.
Hard Drive File Recovery and Forensic Implications
Understanding the differences between allocated and unallocated space is particularly important in the context of data recovery and forensic analysis. Tools designed to recover data often scan the unallocated space for remnants of deleted files. These tools look for file fragments or entire files that haven’t yet been overwritten by new data.
For this reason, even after a file is “deleted,” it can often be restored unless the unallocated space has been thoroughly overwritten. Secure deletion tools, which repeatedly overwrite unallocated space with random data, can help ensure that deleted files are irrecoverable.
Forensic experts can also examine cache data, as well as logs and system artifacts, to piece together what files were accessed and when, even if those files were later deleted.
My Final Thoughts
When defending any type of crime associated to computer usage in the courtroom, understanding file storage on a computer hard drive is essential. By knowing the basics of how a hard drive operates, you can manage your case more effectively, and even understand how forensic experts might recover deleted data being used against the defendant.
If you, or someone you know, will be proceeding to trial, challenging an imposed sentence or pursuing any type of post-conviction relief, our book, The Colossal Book of Criminal Citations, is a crucial resource in the pursuit of justice. Our books are soft cover, institution friendly, in stock, and frequently advertised in Prison Legal News magazine. Order your copy today, or on behalf of someone incarcerated.