How do you differentiate primary data from deleted or slack space in digital forensics?

• A. Primary data is readily visible to users; deleted data and slack space reside in unallocated space and can be recovered via carving or recovery techniques.
• B. Deleted data is always unrecoverable.
• C. Slack space contains no useful information.
• D. Primary data is always encrypted.

Answer: (A)

Understanding how data is stored on a disk helps explain the distinction. Primary data refers to the files and data that the filesystem currently allocates and indexes for active use; this is the data the operating system and users access through normal paths. Slack space is the small amount of unused bytes inside an allocated storage unit (like a cluster) after a file’s actual content ends, and it can contain remnants from previous data. Deleted data, meanwhile, is data from files that has been marked as free space by the filesystem; the bytes often remain intact until new data overwrites them.

So, primary data is readily visible and accessible in allocated space and through standard file access. Deleted data and slack space lie in unallocated or partially used areas outside the active file structure and can still be recovered because the underlying bytes may persist until overwritten. Carving or other recovery techniques scan unallocated and slack space for known file signatures or patterns to reconstruct deleted or remnants of files.

That’s why this description is best: it captures both where the data resides and how it can be recovered, which is central to differentiating primary data from deleted or slack space.