Wikia

Definition Edit

Residual data is data from deleted files (including earlier versions of existing files and temporary files).

Residual data can often be recovered from an end user device through forensic analysis. The following items describe common forms of residual data:

Unused File Allocation Units. File systems store files in chunks known as file allocation units. Unused file allocation units are the units within a partition that are not currently being used by the file system. When a file is deleted, it is typically not erased from the media; instead, the information in the directory’s data structure that points to the location of the file is marked as deleted. This means that the file is still stored on the media but is no longer enumerated by the operating system (OS). The OS considers this to be unused space and can overwrite any portion of or the entire deleted file at any time.
Slack Space. Even if a file requires less space than the file allocation unit size, an entire file allocation unit is still reserved for the file. For example, if the file allocation unit size is 32 kilobytes (KB) and a file is only 7 KB, the entire 32 KB is still allocated to the file, but only 7 KB is used, resulting in 25 KB of unused space. This unused space is referred to as file slack space, and it may hold residual data, such as portions of deleted files.
Free Space. Free space is the area on media that is not currently allocated to a partition. This often includes space on the media where files may have resided at one point but have since been deleted. The free space may still contain residual data.