Slack space is considered
to be the space between the end of the file and the end of the cluster of which
the file belongs (rjohnston, 2011). Using an example, I’ve formatted a
Windows Disk with 1024 cluster size as can be seen below.
A file name “slack-space-test.txt” of size 338 bytes has been created. The operating system may write additional data to this cluster therefore the actual size of slack space may not necessarily be the difference of 1024 and 338. From the image below, the cluster of consist of two sectors (512 * 2 = 1024). The first sector begins at offset x1546ec00 (not shown), while the third sector begins at offset x1546f000. The difference between those values tells us we have 1024 (x400) bytes of cluster. The highlighted area below represents the area of slack space.
A file name “slack-space-test.txt” of size 338 bytes has been created. The operating system may write additional data to this cluster therefore the actual size of slack space may not necessarily be the difference of 1024 and 338. From the image below, the cluster of consist of two sectors (512 * 2 = 1024). The first sector begins at offset x1546ec00 (not shown), while the third sector begins at offset x1546f000. The difference between those values tells us we have 1024 (x400) bytes of cluster. The highlighted area below represents the area of slack space.
Hope you find this information helpful and please see the other posts in this series for additional information on working with media
Reference:
http://blog.priveonlabs.com/sec_blog.php?title=forensic-basics-slack-space&more=1&c=1&tb=1&pb=1
In this series
Working with media - Unallocated Space
Working with media - Allocated Space
Working with media - Partitioning
Working with media - Sectors
Working with media - Clusters
Working with media - Slack Space
Forensic Imaging and their Formats - The Advanced Forensic Format (AFF)
Forensic Imaging and their Formats - Encase Image (E01)
Forensic Imaging and their Formats - DD (raw)
No comments:
Post a Comment