Thursday, August 1, 2013

Forensic Artifacts - Slack

File Slack
File slack is data that starts from the end of the file written and continues to the end of the sectors designated to the file. There are two types of file slack, RAM slack and Residual slack.


RAM Slack
RAM slack starts from the end of the file and goes to the end of that sector (NOT the cluster). RAM slack is no longer relevant to most modern Windows PCs as RAM now contains zeros rather than residual data from the RAM, thus there are no forensic artifacts that can be found in RAM slack for modern Windows systems.

Residual Slack
Residual slack then starts at the next sector and goes to the end of the cluster allocated for the file. File slack is a helpful tool when analyzing a hard drive because the old data that is not overwritten by the new file is still in tact. For examples, go to:

http://www.pcguide.com/ref/hdd/file/partSizes-c.html

MFT Record Slack
An MFT entry is allotted a fixed space of  1024 bytes, as standard. If the MFT entry is less than 1024 bytes, e.g 1000 bytes, the remaining bytes are MFT slack. The contents of this MFT slack will depend, as with file slack, on what was there before it.  Commonly the MFT slack contains the contents of the MFT entry before it was created, this can be particularly interesting for computer forensic examiners if there was resident data.

Drive Slack
Drive slack is the data in unused sectors in the last cluster allocated to a file and consists of data which previously existed in those sectors.

Volume Slack
Volume slack is the unused space between the end of file system and end of the partition where the file system resides - also defined as sectors at the end of the volume or partition that cannot be allocated to a cluster.

No comments:

Post a Comment