Unallocated Space

The file system divides a partition into clusters and tracks which clusters are in use. Every cluster is either allocated (assigned to a current file or to file system structures) or unallocated (available for future allocation). Unallocated space is the sum of all currently-unassigned clusters on the partition.¹

The two-state model

From the file system’s perspective, the contents of a partition divide into:

• Allocated space: clusters currently assigned to active files (documents, photos, applications), file system structures (the MFT on NTFS, allocation tables on FAT, inodes on ext4), and reserved areas (journals, snapshots).
• Unallocated space: clusters that are not currently assigned to anything. This includes both never-used clusters and clusters that were previously assigned to files but were released by deletion.

The Bit-x-Bit forensic insights summary captures the recovery-relevant aspect: “Unallocated space on the computer is where deleted documents, file system information, and other electronic artifacts reside on the hard drive, which is often able to be recovered and analyzed through a forensic investigation.”²

How the file system tracks allocation

Different file systems track allocation differently:

• NTFS uses a cluster bitmap ($Bitmap) where each bit represents whether a cluster is in use. The bitmap is read on mount to determine which clusters are available for new files.
• FAT32 and exFAT use the File Allocation Table itself, where each entry corresponds to a cluster and contains either a “next cluster” pointer (allocated, part of a file’s chain) or a marker indicating the cluster is free.
• ext4 uses block group descriptors with bitmaps similar to NTFS, plus inode tables that record which inodes are in use.
• APFS uses a more complex copy-on-write structure where allocation is tracked via container-level structures rather than a simple bitmap.

In every case, the allocation tracker can be read to identify which clusters are unallocated, and recovery software typically uses this information as the starting point for finding deleted files.

Free space vs unallocated space

The two terms are often used interchangeably but have a subtle technical distinction:

• Unallocated space is the file system’s view of clusters not assigned to any file.
• Free space is typically the operating system’s user-facing report, calculated from unallocated space minus various overheads.

In most cases the two values are the same. Differences can arise from file system overhead (cluster bitmaps, journal areas, reserved space) that the OS counts differently than the underlying file system structures, snapshot mechanisms that hold space reserved even when the OS reports it free, or compression on file systems that support it. For data recovery purposes, unallocated space is the more precise concept because it directly maps to where recoverable data actually lives.

Unallocated space and slack space are the two territories on a drive where residual data from previously deleted files can persist. They’re related but structurally different, and recovery techniques and yields differ between them.³

Side-by-side comparison

Concern	Unallocated space	Slack space
What it is	Entire clusters not assigned to any file	Unused bytes within an allocated cluster
Cluster ownership	No current owner	Has a current owner (the allocated file)
Typical size	Megabytes to gigabytes total	Bytes to kilobytes per file
Recovery yield	Often complete or near-complete files	Typically fragments only
Recovery technique	Signature scanning, file system reconstruction	Cluster-tail scanning, fragment extraction
Consumer software priority	Primary recovery target	Secondary or fallback only
Forensic priority	High; primary data source	High; supplementary data source
Cleared by	New file allocations, TRIM on SSDs, free-space wipers	File overwrite within cluster, full-disk overwrite

Why both matter for forensics

Forensic analysis examines both unallocated space (for deleted files that haven’t been overwritten) and slack space (for fragments of overwritten files and metadata of deleted files). Tools like X-Ways Forensics, EnCase, and Autopsy include scanning of both as standard. The HC Cybersecurity practitioner documentation notes that “we can often recover the remaining fragments from the unallocated space, which may still contain crucial text, passwords, or data points” even when partial overwriting has occurred.

Why unallocated dominates consumer recovery

For consumer recovery (recovering a file the user wants back), unallocated space is the dominant source because most user-facing recovery scenarios involve recently deleted files whose entire content sits in unallocated clusters that haven’t been reused yet. Recovery from unallocated space typically yields full files; recovery from slack space yields fragments that rarely reconstitute into usable originals. Consumer recovery software prioritizes unallocated space scanning accordingly.

Several actions produce unallocated space, with very different recovery implications.⁴

File deletion (most common)

When a user deletes a file, the file system marks the clusters that held the file’s content as unallocated. The deletion itself is a fast bookkeeping operation; the file’s data isn’t actually erased. The clusters are now available for new allocations, but until something writes to them, they retain the deleted file’s content. This is the source of most successful recovery scenarios: recently deleted files persist intact in unallocated clusters for some period before reallocation.

Quick format

A quick format reinitializes the file system structures (MFT, allocation tables, root directory) but does not zero or overwrite the data area of the partition. Every cluster outside the file system structures is marked as unallocated, regardless of what it previously contained. The data area of a quick-formatted partition contains the entire previous file system’s content sitting in unallocated clusters, recoverable until the new file system starts writing over it. This is why “I quick-formatted by mistake, can I recover my files?” usually has a hopeful answer.

Full format

A full format does zero (or in some cases test) every sector on the partition during formatting. The result is that unallocated space contains zeros rather than previous file content. Full format takes much longer than quick format (hours for a multi-TB drive) but produces a clean unallocated area. Recovery from a fully-formatted partition is typically not feasible because the data has been overwritten as part of the format process.

Partition deletion or resize

Deleting a partition removes its file system structures from the partition table but doesn’t touch the partition’s data area. The space becomes unallocated at the disk level. Resizing a partition smaller produces unallocated space at the partition’s new boundary; the released area’s content remains until something writes to it. Partition-level operations can produce gigabytes of unallocated space containing whole previous file systems, recoverable with appropriate tools.

Never-allocated provisioning

When a brand new partition is formatted, the data area starts as unallocated space that has never held any data. Reading these clusters returns whatever was previously on the physical storage (zeros for a new drive, or remnants of any previous formatting on a reused drive). For recovery purposes, never-allocated space is generally not interesting because it doesn’t contain user data, but it’s part of the unallocated space accounting.

SSD garbage collection state

For SSDs, unallocated space has an additional dimension. From the file system’s perspective, certain clusters are unallocated. From the SSD controller’s perspective, the underlying NAND blocks may be in any of several states: written-and-mapped, written-but-unmapped (after TRIM), erased and ready for write, or in pending-erase state. The SSD’s internal state determines what chip-off recovery would actually find, but the file system’s allocation state is what matters for software-based recovery.

The contents of unallocated space depend on what the drive has been used for and what’s happened since deletion. The Pen Test Partners forensic documentation notes that “unallocated space retains remnants of deleted files, metadata, logs, caches, and other artefacts.”⁵

Common contents

Forensic analysis and recovery work typically find a combination of:

• Complete deleted files: recently deleted files whose clusters haven’t been reallocated. The most useful category for ordinary recovery; fully recoverable as long as the file system metadata or file signatures can be matched.
• Partial deleted files: files whose clusters have been partially reallocated. The unwritten portions persist; the rewritten portions are gone. The Eclipse Forensics example notes that file carving from unallocated space typically yields incomplete files because operating systems gradually reuse the space.
• Browser artifacts: history records, cache files, downloaded files, cookies. Browsers create and delete many small files as part of normal operation; their previous incarnations often live in unallocated space.
• Email and database fragments: deleted email databases, exported data files, log files that have been rotated out.
• Application data: caches that have been cleared, temporary files that have been removed, application logs.
• Operating system artifacts: Windows Update remnants, Recycle Bin metadata for items emptied, system restore data.
• Previously deleted partitions: entire file systems’ worth of data when partition operations have produced large unallocated regions.
• Anti-forensic tool remnants: evidence that someone attempted to delete or hide content, sometimes preserved in cluster regions the tool didn’t reach.

A 30% data loss statistic

The Eclipse Forensics summary cites a study that “a whopping 30% of computer users experience significant data loss at least once.” Most of these data loss events involve files that end up in unallocated space; the recovery question is whether attempts to retrieve them are made before reallocation closes the window.

Tool size discrepancies

Different forensic tools sometimes report unallocated space sizes that differ slightly. The ScienceDirect reference cites a specific case: “On the hard drive used in the investigative scenario for this chapter, the amount of unallocated space reported by EnCase is 16,606,420,992 bytes whereas other forensic tools like X-Ways report it as 16,607,297,536 bytes.” The 876,544-byte difference reflects how each tool handles reserved space, file system overhead, and edge cases like partial clusters. The differences don’t usually affect recovery outcomes but matter for forensic documentation where exact accounting is required.

What gets overwritten first

When the operating system needs to allocate new clusters, the order in which it consumes unallocated space affects which deleted files get overwritten first. File system allocation algorithms vary:

• NTFS tends to allocate new files into the largest contiguous unallocated region available, which can preserve smaller deleted files in fragmented unallocated regions.
• ext4 uses a combination of strategies including delayed allocation that may produce different patterns.
• SSDs with TRIM may have proactively cleared deleted clusters before allocation even matters; the controller’s wear-leveling decisions further complicate the picture.

Recovery from unallocated space is the central activity of consumer-tier recovery software and a major component of forensic acquisitions. Several techniques apply.

File system reconstruction

The first technique most recovery tools apply is reading the file system’s residual records of recently deleted files. NTFS retains deleted MFT records until the records are reused; FAT retains directory entries with the first character marked deleted; ext4 retains some inode information until reused. When these records are still intact, recovery software can locate the file’s clusters in unallocated space and read them directly, producing complete files with original filenames, paths, and timestamps. This technique works for recently deleted files where the file system’s bookkeeping hasn’t yet been overwritten.

Signature-based scanning (file carving)

File carving scans unallocated space for known file signatures: JPEG headers (FF D8 FF), PDF markers (%PDF), ZIP signatures (PK\x03\x04), and many others. When a signature is found, the carving tool reads forward from the signature location, attempting to reconstruct a file from the unallocated bytes. The output is typically:

• Complete files when the entire file’s clusters remain intact in unallocated space.
• Incomplete files when some clusters have been reallocated but the start (signature) and a portion of content remain.
• Files with generic names like “recovered_001.jpg” because the original filename isn’t recoverable through carving alone (it lived in the file system metadata, not in the file content).
• Multiple file types from a single carving pass, since the tool searches for many signatures simultaneously.

Tools for unallocated space recovery

The ScienceDirect reference identifies the standard tools: “File carving tools like Foremost, Scalpel, DataLifter, and PhotoRec scour unallocated space for characteristics of certain file types in an effort to salvage deleted files.” Beyond these:

• Consumer recovery software (Disk Drill, Recuva, EaseUS Data Recovery Wizard, Stellar Data Recovery) uses unallocated space scanning as the primary recovery mechanism.
• Professional forensic tools (EnCase, FTK, X-Ways, Autopsy, Belkasoft X) include unallocated space analysis as standard features with deeper analysis options.
• Open-source tools (PhotoRec, Foremost, Scalpel, TestDisk) provide command-line access to file carving from unallocated space.

Mounting unallocated space as a logical volume

The Pen Test Partners documentation describes a technique used in forensic analysis: extracting unallocated space from a forensic image and mounting it as a logical volume. This allows forensic tools to interact with the data as if it were a live file system, enabling more efficient searching and analysis than scanning raw binary data. Mounting provides a structured view into otherwise raw binary content, making it easier to locate recoverable files and understand how they were used.

SSD recovery and TRIM

For SSDs with TRIM enabled, unallocated space recovery is much harder. The HC Cybersecurity documentation captures the practical reality: “If TRIM has executed, the unallocated space is actively wiped by the drive’s controller. Immediate disconnection of the drive after data loss is critical to prevent TRIM from destroying the remnants.” Recovery odds drop dramatically once TRIM has had time to run; on a typical TRIM-enabled SSD, the recovery window from unallocated space may be measured in minutes rather than days.

Recovery completeness expectations

The ScienceDirect reference shows a typical real-world recovery scenario: “About 90 percent of the picture is back from the unallocated space, the software could not get all of it. This is very common when doing file carving because the operating system will eventually use the space on the hard drive for new files and overwrite all or part of any file that was previously deleted.” Partial recovery (90%, 70%, 50% of original content) is more common than complete recovery, especially for older deletions where some clusters have been reallocated. JPEG files with partial recovery may show partial images; documents may be missing pages; videos may play partially before becoming corrupted.