Learn Linux BackTrack

Computer Forensics is a branch of digital forensics to examine digital media with the aim of: identifying, recovering, analyzing and presenting facts and opinions about the information.


Slack space or sometimes referred to as file slack is the area between the end of a file and end of the last cluster or sector used by the file in question. Area is an area that will not be used again to store the information there, so the area is "wasted" useless. Slack space is common in file systems that use a large cluster size, while the file system that uses a small cluster size can organize the storage media more effectively and efficiently. Amount of wasted disk space can be thought is estimated by multiplying the number of files (including the number of directories) with half the size of a cluster. For example, a 10 000 personal computer that stores files in a file system that uses a cluster size of 4 kilobytes will have approximately 10 000 x 2 MB - = 20000 KB. On a large file server, slack space and even reached the size of tens of gigabytes.



Unallocated Space
Unallocated Space is available disk space that is not allocated to any volume. The type of volume that you can create on unallocated space depends on the disk type. On basic disks, you can use unallocated space to create primary or extended partitions. On dynamic disks, you can use unallocated space to create dynamic volumes


1.  dd -command used to copy from an input file or device to an output
file or device. Simple bitstream imaging.
 2. sfdisk and fdisk -used to determine the disk structure.
 3. grep -search files (or multiple files) for instances of an expression or
pattern.
 4. The loop device -allows you to associate regular files with device
nodes. This will then allow you to mount a bitstream image without
having to rewrite the image to a disk.
 5. md5sum and sha1sum -create and store an MD5 or SHA hash of a
file or list of files (including devices).
 6. file -reads a file’s header information in an attempt to ascertain its
type, regardless of name or extension.
 7. xxd - command line hexdump tool. For viewing a file in hex mode.