Browse Definitions :
Definition

latent data (ambient data)

Latent data, also known as ambient data, is the information in computer storage that is not referenced in file allocation tables and is generally not viewable through the operating system (OS) or standard applications.

Latent data is found in the combined remaining information content on the computer from deleted files in unallocated space, swap files, print spooler files, memory dumps, the slack space of existing files and temporary cache.

Latent data is used in the recovery of files lost due to user errors, unforeseen program operations or malicious activity such as ransomware. This hidden information is also used in computer forensics to retrieve files that have been deleted. In either case, special software is required.

Understanding how latent data remains on a hard drive requires some knowledge about how information is stored on computers that have hard disk drives. Such computers store data magnetically through read/write heads in a sealed unit on a circular, spinning, metallic disk or stack of disks called platters. Each platter is composed of logically defined sections called sectors and divided further into clusters.

By default, most OS clusters are configured to hold no more than 512 bytes of data. If a text file that is 400 bytes is saved to disk, a 512-byte cluster will have 112 bytes of extra space left over. When the computer’s hard drive is brand new, the space in a cluster that is not used is blank, but that changes with use. When a file is deleted, the operating system doesn't erase the file but just makes the cluster the file occupied available for reallocation. What is actually deleted is a reference to the file in a record similar to a table of contents  for the hard drive: the file table. Should a new file that is only 200 bytes be allocated to the original sector, the cluster’s slack space will now contain 200 bytes, some of which could be leftover data from the first file in addition to the original 112 bytes of extra space.

That leftover data in the slack space can provide investigators with clues as to prior uses of the computer in question as well as leads for further inquiries. It may have small files available for data recovery as well as pieces of larger files that span multiple clusters. This is also true of the swap file an operating system uses for virtual memory that has is generally only accessible to the OS.

To recover latent data from a computer, the drive it is on should not be used. In fact, if it is the OS drive, you should avoid even booting up the computer, because for every new file or change to a file, latent data can be lost. In the simple act of booting a computer,with most operating systems hundreds of files are changed. The tools of government organizations are said to be able to read even traces of overwritten files.

This was last updated in December 2016

Continue Reading About latent data (ambient data)

SearchCompliance
  • OPSEC (operations security)

    OPSEC (operations security) is a security and risk management process and strategy that classifies information, then determines ...

  • smart contract

    A smart contract is a decentralized application that executes business logic in response to events.

  • compliance risk

    Compliance risk is an organization's potential exposure to legal penalties, financial forfeiture and material loss, resulting ...

SearchSecurity
  • cyberterrorism

    According to the U.S. Federal Bureau of Investigation, cyberterrorism is any 'premeditated, politically motivated attack against ...

  • biometrics

    Biometrics is the measurement and statistical analysis of people's unique physical and behavioral characteristics.

  • privileged access management (PAM)

    Privileged access management (PAM) is the combination of tools and technology used to secure, control and monitor access to an ...

SearchHealthIT
SearchDisasterRecovery
  • What is risk mitigation?

    Risk mitigation is a strategy to prepare for and lessen the effects of threats faced by a business.

  • change control

    Change control is a systematic approach to managing all changes made to a product or system.

  • disaster recovery (DR)

    Disaster recovery (DR) is an organization's ability to respond to and recover from an event that affects business operations.

SearchStorage
  • PCIe SSD (PCIe solid-state drive)

    A PCIe SSD (PCIe solid-state drive) is a high-speed expansion card that attaches a computer to its peripherals.

  • VRAM (video RAM)

    VRAM (video RAM) refers to any type of random access memory (RAM) specifically used to store image data for a computer display.

  • virtual memory

    Virtual memory is a memory management technique where secondary memory can be used as if it were a part of the main memory.

Close