Browse Definitions :
Definition

latent data (ambient data)

Contributor(s): Matthew Haughn

Latent data, also known as ambient data, is the information in computer storage that is not referenced in file allocation tables and is generally not viewable through the operating system (OS) or standard applications.

Latent data is found in the combined remaining information content on the computer from deleted files in unallocated space, swap files, print spooler files, memory dumps, the slack space of existing files and temporary cache.

Latent data is used in the recovery of files lost due to user errors, unforeseen program operations or malicious activity such as ransomware. This hidden information is also used in computer forensics to retrieve files that have been deleted. In either case, special software is required.

Understanding how latent data remains on a hard drive requires some knowledge about how information is stored on computers that have hard disk drives. Such computers store data magnetically through read/write heads in a sealed unit on a circular, spinning, metallic disk or stack of disks called platters. Each platter is composed of logically defined sections called sectors and divided further into clusters.

By default, most OS clusters are configured to hold no more than 512 bytes of data. If a text file that is 400 bytes is saved to disk, a 512-byte cluster will have 112 bytes of extra space left over. When the computer’s hard drive is brand new, the space in a cluster that is not used is blank, but that changes with use. When a file is deleted, the operating system doesn't erase the file but just makes the cluster the file occupied available for reallocation. What is actually deleted is a reference to the file in a record similar to a table of contents  for the hard drive: the file table. Should a new file that is only 200 bytes be allocated to the original sector, the cluster’s slack space will now contain 200 bytes, some of which could be leftover data from the first file in addition to the original 112 bytes of extra space.

That leftover data in the slack space can provide investigators with clues as to prior uses of the computer in question as well as leads for further inquiries. It may have small files available for data recovery as well as pieces of larger files that span multiple clusters. This is also true of the swap file an operating system uses for virtual memory that has is generally only accessible to the OS.

To recover latent data from a computer, the drive it is on should not be used. In fact, if it is the OS drive, you should avoid even booting up the computer, because for every new file or change to a file, latent data can be lost. In the simple act of booting a computer,with most operating systems hundreds of files are changed. The tools of government organizations are said to be able to read even traces of overwritten files.

This was last updated in December 2016

Continue Reading About latent data (ambient data)

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

File Extensions and File Formats

Powered by:

SearchCompliance

  • risk management

    Risk management is the process of identifying, assessing and controlling threats to an organization's capital and earnings.

  • compliance as a service (CaaS)

    Compliance as a Service (CaaS) is a cloud service service level agreement (SLA) that specified how a managed service provider (...

  • data protection impact assessment (DPIA)

    A data protection impact assessment (DPIA) is a process designed to help organizations determine how data processing systems, ...

SearchSecurity

  • NIST Cybersecurity Framework

    The NIST Cybersecurity Framework (NIST CSF) is a policy framework surrounding IT infrastructure security.

  • Port Scan

    A port scan is a series of messages sent by someone attempting to break into a computer to learn which computer network services ...

  • DMZ (networking)

    In computer networks, a DMZ (demilitarized zone), also sometimes known as a perimeter network or a screened subnetwork, is a ...

SearchHealthIT

SearchDisasterRecovery

  • business continuity plan (BCP)

    A business continuity plan (BCP) is a document that consists of the critical information an organization needs to continue ...

  • disaster recovery team

    A disaster recovery team is a group of individuals focused on planning, implementing, maintaining, auditing and testing an ...

  • cloud insurance

    Cloud insurance is any type of financial or data protection obtained by a cloud service provider. 

SearchStorage

Close