In disk forensics, what is unallocated space and why is it important?

Unallocated space is the portion of a storage device that the filesystem has not assigned to any file. In disk forensics, this matters because deleted data can still reside in these sectors until they are overwritten, and a physical image captures every sector, not just those currently in use by files. When a file is deleted, the filesystem may mark its directory entry as unused and free up its data blocks, but the actual data often remains in unallocated space, allowing investigators to recover remnants through carving or by analyzing fragments, slack space, and other artifacts. However, technologies like TRIM on SSDs can automatically erase data in unallocated space, making recovery more challenging, so the imaging method and the drive type influence what can be recovered. Unallocated space is not the area used to store filesystem metadata, nor is it RAM for running processes, nor is it exclusively backups; those describe different concepts.