Saturday, March 17, 2012

Slack Space

Again, in this post I'll try to explain a thing that related to Computer Digital Forensic that is Slack Space. 

In a Storage Device when a file is saved, it is stored in the beginning of a cluster. Cluster itself is like a directory in the storage. It consist of some sectors. Imagine a House fully contained with 50 cupboards that have 4 drawers each..
Get it?  :D
Lets say that this house is the harddisk, the cupboards is the cluster, while the drawers on each cupboard is the sector. So, we can say that this harddisk have 50 cluster and 4 sector on each cluster.
cmiiw..  :)

And then, what would we do to make or files to be well-organized in this cupboard? Of course placing our things separately based on its category. For example, books in the first drawer, shirts in the second drawer and shorts in the third drawer. Lets say that these three drawers is already full. You want to store your most precious toy in the last drawer, to make the toy doesn't damaged you only store it alone inside the last drawer, away from the other toy. Of course there is a lot of space inside the drawer, but although it leave a lot of space you don't want to fill it with other things. That space is called Slack Space.

Same thing on the Storage device. On some filesystem, this slack space can't be used to store the next data because it used cluster unit as its smallest unit.

In the example above, we stored a 768 bytes file named User_File.txt. It only require sector 1 and half of the second sector in the cluster. Depends on the OS, the remaining 256 bytes in the sector 2 might be filled with dummies like 1's or 0's or even simply left intact. Both sector 3 and 4 that contains nothing would not be overwritten and that is Slack Space.

If a slack space previously contained data from a deleted file, then the file could be recovered with a recovery tools or forensic tools. Additional Details, OS allocated files on a storage device using clusters. Because a cluster is the smaller allocation unit an OS can address, if a file does not utilize the full cluster, a portion of space remains still and would not be overwritten, thus might contain data from a previously deleted file. For forensic analyst, it is important to understand that slack space is considered allocated space since it is part of an allocated cluster. As such, special tools must be used to extract and analyze it. An analysis of unallocated data will not contain any slack space data.

So thats it, I hope this article helps you understand Slack Space better..  :)

"the quieter you become, the more you are able to hear.."


Post a Comment