Slack (file system)
Slack is the term used for unused storage space in allocated storage of block-oriented mass storage devices . This is not a question of unallocated memory. There are several types of slack.
File slack
The term file slack (dt. File offset, also slack space) describes the slack that is found after the end of a certain file.
Block-oriented mass storage devices such as hard disks etc. generally store data in sectors of 512 bytes . To simplify administration, file systems group one or more sectors into clusters as the smallest data unit that can be assigned to a single file. A cluster size popular in many file systems is e.g. B. 4096 bytes, with most file systems supporting different cluster sizes.
If, in the extreme case, a file with a size of 1 byte is stored on a partition with a cluster size of 4096 bytes, then this file occupies an entire cluster on the hard disk, i.e. H. the file has a file slack of 4095 bytes. File systems such as NTFS avoid this effect by storing the contents of very small files directly in the already existing FILE record, i.e. H. in the metadata structure that manages the file in question.
The file slack is made up of two different types of slack, the ram slack and the drive slack.
Ram slack
The term ram slack should actually be called sector slack, as it describes the area from the end of a file to the end of the current sector. It is called Ram-Slack because Microsoft operating systems up to and including Windows 95A have stored random data from the main memory in this area. Much of the forensics literature says this is still true of today's operating systems, but it is supported by both Brian Carrier, author of the SleuthKit widely used in computer forensics, and Steve Bunting, a veteran investigator, instructor, and author some books on forensics , explicitly denied.
Drive slack
The much more interesting part of the file slack is the drive slack. This is to sectors within the last cluster of a file that is not described and therefore not over were enrolled. In these areas, suitable tools can be used to read out plain text data from fragments of files that were previously on the partition, so these areas receive special attention in a forensic examination.
MFT slack
Due to some peculiarities of the Microsoft file system NTFS, in which at least 1024 bytes are reserved for each FILE record, but a variable (usually smaller) number of them is used, there can be enough space in the remaining bytes for the content of the associated file to be saved at the same time, provided this is small enough. If the file is changed in such a way that its content is now saved in normal clusters (e.g. because the file is enlarged and thus grows beyond the available space), the content that was previously saved directly in the FILE record can be saved in the MFT Slack of the FILE record, which is now again only equipped with metadata (and therefore probably not completely filled), can be found and evaluated.
Partition slack
Partition slack is also an offset, which does not arise when files are saved, but when partitions are created on hard drives. Partition slack describes the area from the end of a partition on a physical data carrier to the beginning of the next partition or the end of the physical data carrier. If other file systems were previously created on the data carrier, then under favorable circumstances remains of old files can be found in these areas, which can be of importance in forensic analysis.
supporting documents
- ^ Brian Carrier: File System Forensic Analysis , Addison-Wesley (2005), p. 188.
- ^ Brian Carrier: File System Forensic Analysis , Addison-Wesley (2005), pp. 187/188.
- ↑ Alexander Geschonnek: Computer Forensik, 3rd updated and expanded edition, dPunkt-Verlag (2008), pp. 103-106
- ^ Brian Carrier: File System Forensic Analysis , Addison-Wesley (2005), p. 188 above.
- ↑ Steve Bunting: EnCE The official EnCase Certified Examiner Study Guide , 2nd Edition, Wiley Publishing Inc. (2008), p. 65.