The importance of file slack for digital forensics and EDiscovery

What is File Slack? And how does it compare to Computer Forensics?

If you have a basic understanding of computers, you know that files take up space on your hard drive. You may also understand that some files are larger than others and can range from just a few bytes to many gigabytes. What you may not know is that files actually have two file sizes: a logical size and a physical size. The reason for the two formats lies in the way the file system stores files on your hard drive. Without going into too much detail about how file systems work, the answer to this mystery lies in understanding File Slack, which is divided into two parts: Drive Slack and RAM Slack. Knowledge of File Slack is not required for everyday computing, but it does play a very important role when it comes to Digital Forensics and eDiscovery.

You may have heard the terms Sector and Cluster when referring to hard drives. At a very basic level, the industry is the smallest area on a piece of media or hard disk that can be written on. These sectors are then grouped into clusters that make up the allocation units on the disk. On Windows systems, the sector has a fixed size of 512 bytes, while the cluster size is determined by the size of the disk itself. So smaller disks have small cluster sizes and vice versa. When a file is created, the file system allocates the first available clusters, depending on the logical size of the data being stored. Obviously, any file stored on a disk cannot possibly be the exact size of one or more clusters, so space remains in the last cluster. This is File Slack.

RAM Slack refers to the remaining space in the last sector of a file. Remember that clusters are the allocation units, but the file system still writes in 512-byte bits. Very rarely, a file will be an exact multiple of 512. So once the filesystem has finished writing to the last sector of a file, there will be space at the end of that sector. Before Windows 95 version B, RAM Slack was filled with random data from RAM, hence RAM Slack. This was a huge vulnerability because data in RAM could contain passwords and other sensitive data. Since then, Windows file systems write the hex key x00 to the remaining space in the last sector of a file.

Drive Slack refers to the remaining unwritten sectors in the last cluster of a file. The file system does not fill this space as with RAM Slack. The file system actually does nothing with this space. All the data that was present in those sectors before the file was written still remains even remnants of deleted files.

You can see how important File Slack is to Digital Forensics and E-Discovery. With the right set of tools and an experienced forensic investigator, like me, data stored in File Slack and Unallocated Space can be recovered.

Source by Michael T McLaughlin