The Data Analysis Mode allows an investigator to view the contents of an individual data unit. Data units is a generic term used to describe the areas on the disk that are used to store data. Each file system calls the data unit a different thing (i.e. Fragments or Clusters). This mode is most useful when recovering and analyzing deleted data.
To view the contents of a specific address, enter it into the text box on the left-hand side. By default, only one data unit will be displayed. To view more than one consecutive unit, enter the number in the text box below.
It is common to extract the unallocated space from a file system image and analyze it for deleted material. The 'dls' tool in The Sleuth Kit allows one to extract the data. If interesting data is found in the 'dls' file, the next step could be to find its location in the original image and examine the surrounding data. To do this, simply calculate which data unit the data was found in (by dividing the byte offset of the interesting data by the data unit size (which can be found in Image Details)). Enter that address into the original text box and select the Unallocated type. This will find the original location and display it for you.
If Autopsy knows about the 'dls' image, then it can be loaded at any time by selecting the Load Unallocated button. Then, any data unit in that file can be examined.
The Lazarus tool was part of TCT. It analyzes a chunk of data and identifies what file type it is and tries to group consecutive types together. Lazarus numbers its output though starting with 1. Therefore, instead of subtracting 1 every time you want to view a data unit identified by Lazarus, simply select the check box.
Press the Ok button to display the contents of the address on the right-hand side of the window.
The Allocation List link displays the allocation status of addresses in intervals of 500.
After the unit address has been entered, the contents are displayed in the right-hand side. Filters can be used to view the data in the desired format (strings, hexdump, ASCII).
A report can be generated so that the contents and meta-data about it will be saved on record. To save the contents locally, press the Export Contents button. The Add Note button will allow one to add a comment about the given data unit so that it can be easily recalled later.
The file type is also displayed. This is identified by running the output through the 'file' command in The Sleuth Kit.
Autopsy will try to find the meta-data structure that allocated the unit and display both its address and a file name. This process is very slow for FAT file systems, so this process is not done by default during analysis.
The Sleuth Kit and Autopsy do not use clusters when dealing with a FAT image. Only sectors are used. The reason is because FAT does not start addressing clusters until many sectors into the file system. If clusters were used to address data units, then there would be no way to address the sectors in the FAT and secondary FAT. Therefore, sectors are used for all addresses. NTFS changed the way clusters were addressed and do not have this problem. See the documentation in The Sleuth Kit for more details.