Partition Gap Defined

One physical hard disk drive can be partitioned to contain one or more logical drives and this can be performed by the computer user using programs such as FDisk or Partition Magic. On todays large hard disk drives it is common to have multiple partitions which can be used to store data in different logical drives, e.g., drive C:, drive D:, etc. Different partitions on the same physical hard drive can also be configured to contain different operating sytems and the possible combinations of logical drives and operating systems are almost unlimited.

When multiple partitions are involved, it is possible for gaps to exist between the partitions. These gaps are referred to as partition gaps and they can be used for covert data storage. Partition gaps can also contain legacy data in sectors which were previously associated with data files stored on prior partitions. This can occur when physical hard disk drives are repartitioned during the upgrade of a computer. For these reasons, partition gaps can be a source of computer security risks and data hiding. Data potentially stored in this area can be identified through the use of a physical search of the computer hard disk drive using NTI's computer forensics search utilities which include Text Search Plus and Text Search NT. These computer forensics tools were designed with computer security risk reviews in mind and they have both been tested and certified by the U. S. Department of Defense. They are currently used in security reviews by numerous military agencies, intelligence agencies and Fortune 1000 corporations. These issues and the use of these tools is also covered in NTI's 5 Day Computer Forensics Training Course and Computer Security Risk Course.