How to determine if there are unallocated sectors on a drive?
The 'Raw Disk Viewer' module in OSForensics can help locate unallocated sectors, allowing the user to view its raw contents. When a physical hard disk is divided into partitions, very rarely do all sectors of the disk get allocated to partitions. In other words, there are sectors in the drive that remain unallocated. These sectors are normally hidden from the end user, thus making it a prime location for hiding data. To do this, we need first identify which sectors are allocated to partitions.
Select the physical disk (without a partition) in the drop-down list. This is important as the MBR and partition table are outside of the partitioned space.
Ensure the cursor is within the first sector (Sector 0) of the disk. In the Data Interpreter window, the partition table is displayed in a readable format.
In this example, the disk contains numerous partitions. Looking at Partitions 3 & 4, there seems to be a gap between the last sector of Partition 3 and the first sector of Partition 4. This space is known as "Inter-partition space" or “Inter-partition gap”, which is often left unused. However, it is not uncommon that data of interest is found within these sectors.
Finally, verify whether or not the last partition spans to the last sector of the disk
According to the 'Disk Info' window, the total number of sectors is 488,397,168. However, the last sector of Partition 4 is 488,394,751, implying that there are unallocated sectors at the end of the disk, otherwise known as “unallocated space”.
You can use the raw disk viewer to view the raw contents of these unallocated sectors. Other methods of reviewing this content include performing hex/string searches to locate key patterns or “carving” this unallocated space in an attempt to recover any files or file fragments by using the File Carving functionality in the 'Deleted Files Search' module.