Browse Definitions:
Definition

latent data (ambient data)

Contributor(s): Matthew Haughn

Latent data, also known as ambient data, is the information in computer storage that is not referenced in file allocation tables and is generally not viewable through the operating system (OS) or standard applications.

Latent data is found in the combined remaining information content on the computer from deleted files in unallocated space, swap files, print spooler files, memory dumps, the slack space of existing files and temporary cache.

Latent data is used in the recovery of files lost due to user errors, unforeseen program operations or malicious activity such as ransomware. This hidden information is also used in computer forensics to retrieve files that have been deleted. In either case, special software is required.

Understanding how latent data remains on a hard drive requires some knowledge about how information is stored on computers that have hard disk drives. Such computers store data magnetically through read/write heads in a sealed unit on a circular, spinning, metallic disk or stack of disks called platters. Each platter is composed of logically defined sections called sectors and divided further into clusters.

By default, most OS clusters are configured to hold no more than 512 bytes of data. If a text file that is 400 bytes is saved to disk, a 512-byte cluster will have 112 bytes of extra space left over. When the computer’s hard drive is brand new, the space in a cluster that is not used is blank, but that changes with use. When a file is deleted, the operating system doesn't erase the file but just makes the cluster the file occupied available for reallocation. What is actually deleted is a reference to the file in a record similar to a table of contents  for the hard drive: the file table. Should a new file that is only 200 bytes be allocated to the original sector, the cluster’s slack space will now contain 200 bytes, some of which could be leftover data from the first file in addition to the original 112 bytes of extra space.

That leftover data in the slack space can provide investigators with clues as to prior uses of the computer in question as well as leads for further inquiries. It may have small files available for data recovery as well as pieces of larger files that span multiple clusters. This is also true of the swap file an operating system uses for virtual memory that has is generally only accessible to the OS.

To recover latent data from a computer, the drive it is on should not be used. In fact, if it is the OS drive, you should avoid even booting up the computer, because for every new file or change to a file, latent data can be lost. In the simple act of booting a computer,with most operating systems hundreds of files are changed. The tools of government organizations are said to be able to read even traces of overwritten files.

This was last updated in December 2016

Continue Reading About latent data (ambient data)

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

-ADS BY GOOGLE

File Extensions and File Formats

Powered by:

SearchCompliance

  • pure risk (absolute risk)

    Pure risk, also called absolute risk, is a category of threat that is beyond human control and has only one possible outcome if ...

  • risk assessment

    Risk assessment is the identification of hazards that could negatively impact an organization's ability to conduct business.

  • audit program (audit plan)

    An audit program, also called an audit plan, is an action plan that documents what procedures an auditor will follow to validate ...

SearchSecurity

  • insider threat

    Insider threat is a generic term for a threat to an organization's security or data that comes from within.

  • ransomware

    Ransomware is a subset of malware in which the data on a victim's computer is locked, typically by encryption, and payment is ...

  • hacker

    A hacker is an individual who uses computer, networking or other skills to overcome a technical problem.

SearchHealthIT

SearchDisasterRecovery

  • business continuity and disaster recovery (BCDR)

    Business continuity and disaster recovery (BCDR) are closely related practices that describe an organization's preparation for ...

  • business continuity plan (BCP)

    A business continuity plan (BCP) is a document that consists of the critical information an organization needs to continue ...

  • call tree

    A call tree -- sometimes referred to as a phone tree -- is a telecommunications chain for notifying specific individuals of an ...

SearchStorage

SearchSolidStateStorage

  • 3D XPoint

    3D XPoint is memory storage technology jointly developed by Intel and Micron Technology Inc.

  • RRAM or ReRAM (resistive RAM)

    RRAM or ReRAM (resistive random access memory) is a form of nonvolatile storage that operates by changing the resistance of a ...

  • JEDEC

    JEDEC is a global industry group that develops open standards for microelectronics.

SearchCloudStorage

  • Google Cloud Storage

    Google Cloud Storage is an enterprise public cloud storage platform that can house large unstructured data sets.

  • RESTful API

    A RESTful application program interface breaks down a transaction to create a series of small modules, each of which addresses an...

  • cloud storage infrastructure

    Cloud storage infrastructure is the hardware and software framework that supports the computing requirements of a private or ...

Close