Browse Definitions :
Definition

latent data (ambient data)

Contributor(s): Matthew Haughn

Latent data, also known as ambient data, is the information in computer storage that is not referenced in file allocation tables and is generally not viewable through the operating system (OS) or standard applications.

Latent data is found in the combined remaining information content on the computer from deleted files in unallocated space, swap files, print spooler files, memory dumps, the slack space of existing files and temporary cache.

Latent data is used in the recovery of files lost due to user errors, unforeseen program operations or malicious activity such as ransomware. This hidden information is also used in computer forensics to retrieve files that have been deleted. In either case, special software is required.

Understanding how latent data remains on a hard drive requires some knowledge about how information is stored on computers that have hard disk drives. Such computers store data magnetically through read/write heads in a sealed unit on a circular, spinning, metallic disk or stack of disks called platters. Each platter is composed of logically defined sections called sectors and divided further into clusters.

By default, most OS clusters are configured to hold no more than 512 bytes of data. If a text file that is 400 bytes is saved to disk, a 512-byte cluster will have 112 bytes of extra space left over. When the computer’s hard drive is brand new, the space in a cluster that is not used is blank, but that changes with use. When a file is deleted, the operating system doesn't erase the file but just makes the cluster the file occupied available for reallocation. What is actually deleted is a reference to the file in a record similar to a table of contents  for the hard drive: the file table. Should a new file that is only 200 bytes be allocated to the original sector, the cluster’s slack space will now contain 200 bytes, some of which could be leftover data from the first file in addition to the original 112 bytes of extra space.

That leftover data in the slack space can provide investigators with clues as to prior uses of the computer in question as well as leads for further inquiries. It may have small files available for data recovery as well as pieces of larger files that span multiple clusters. This is also true of the swap file an operating system uses for virtual memory that has is generally only accessible to the OS.

To recover latent data from a computer, the drive it is on should not be used. In fact, if it is the OS drive, you should avoid even booting up the computer, because for every new file or change to a file, latent data can be lost. In the simple act of booting a computer,with most operating systems hundreds of files are changed. The tools of government organizations are said to be able to read even traces of overwritten files.

This was last updated in December 2016

Continue Reading About latent data (ambient data)

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

File Extensions and File Formats

SearchCompliance

  • risk assessment

    Risk assessment is the identification of hazards that could negatively impact an organization's ability to conduct business.

  • PCI DSS (Payment Card Industry Data Security Standard)

    The Payment Card Industry Data Security Standard (PCI DSS) is a widely accepted set of policies and procedures intended to ...

  • risk management

    Risk management is the process of identifying, assessing and controlling threats to an organization's capital and earnings.

SearchSecurity

SearchHealthIT

  • telemedicine (telehealth)

    Telemedicine is the remote delivery of healthcare services, such as health assessments or consultations, over the ...

  • Project Nightingale

    Project Nightingale is a controversial partnership between Google and Ascension, the second largest health system in the United ...

  • medical practice management (MPM) software

    Medical practice management (MPM) software is a collection of computerized services used by healthcare professionals and ...

SearchDisasterRecovery

SearchStorage

  • hot plugging

    Hot plugging is the addition of a component to a running computer system without significant interruption to the operation of the...

  • M.2 SSD

    An M.2 SSD is a solid-state drive (SSD) that conforms to a computer industry specification and is used in internally mounted ...

  • kilobyte (KB or Kbyte)

    A kilobyte (KB or Kbyte) is a unit of measurement for computer memory or data storage used by mathematics and computer science ...

Close