Forensics: RAM Slack and File Slack

What is the difference between RAM slack and file slack?

Slack, in general, refers to the difference between the logical file size and physical file size.  However slack can be broken down into two different areas, RAM slack and File Slack. 

RAM slack is the slack between the end of the logical file and the rest of that sector. File Slack is the remaining sectors to the end of the cluster. To put it another way RAM slack is the slack at the byte and sector level. File slack is the sectors to the cluster level.

Example

On an NTFS drive with with 512 byte sectors, and 8 sectors per cluster the size of a cluster is 4096 bytes. If a file is 5100 bytes long, this means that there 3092 bytes of slack, this is broken down into 20 bytes of RAM slack and 3072 bytes of file slack (or 6 sectors).

The reason is this:

The file is 5100 bytes which is 9 sectors. But the NTFS file system works on clusters not sectors, therefore the file will be assigned 2 clusters. The first cluster (8 sectors) will be completed filled by the first file, however the second cluster will only contain 1004 bytes of the file (4096+1004 = 5100). 

This means that the first sector (512 bytes) of the second cluster will be completely filled  with the file, but the second sector of the second cluster will only contain 492 bytes. The space at the end of the second sector on the second cluster is known as RAM slack, and is a dump from the RAM, in this case its just 20  bytes (492+20 = 512).

After that there are 6 more sectors to the end of the cluster (the file is assigned two clusters, 16 sectors in total). The 6 sectors remaining are known as file slack.

RAM slack, is therefore very small amounts of data, a maximum of 511 bytes. File slack as the potential to be bigger, but is still small. The maximum size of file slack, assuming a cluster size of 8 sectors, is  7 sectors or 3,584.

Note:

RAM Slack does not exist on a modern version of Windows, and has not done for some time.

About these ads

2 Responses to “Forensics: RAM Slack and File Slack”

  1. Forensics: What is RAM Slack? « Data - Where is it? Says:

    [...] Whats the difference between RAM Slack and File Slack [...]

  2. What is File Slack « Data - Where is it? Says:

    [...] File slack is slightly different to RAM Slack Possibly related posts: (automatically generated)Forensics: RAM Slack and File SlackMany Books to download! [...]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 31 other followers

%d bloggers like this: