This article looks at file slack, where it is, how to find it? Below is a video guide of how to view slack data in EnCase 6.10. For more detailed information on File Slack see this article
Requirements
To understand File Slack, one must first understand the basic concepts of Cluster and Sectors.
File Slack
File slack, in short is what the name implies; it is the “slack”/ the spare bit at the end of a file.
Technically it is the difference between the physical file size and logical file size. The physical size is always the same or greater than the logical size. If the physical size is greater in size than the logical file then the spare data between between the logical and physical file is known as “slack”.
This article looks at file slack, in detail, where it is and how to find it.
Expected Knowledge
To understand File Slack, there must first be an understand the basic concepts of Cluster and Sectors. This article is based on the assumption that the reader understands these concepts. It is also written with the assumption that the hardware under consideration is a standard windows hard drive, with sector size of 512 and a cluster size of 8 sectors.
Clusters and Sectors
As the operating system can only address clusters, rather than sectors which hard drives can, it means that files are stored on a hard drive in units of clusters and not sectors.
Examples:
A 5000 byte file, takes up 9 sectors, however the operating system will allocate the file 2 clusters (16 sectors), as it does not fit into 1 sector. 2 Sectors is 8 KB
A 2500 byte file will fit into 5 sectors, however the operating system will allocate the file 1 full cluster (8 sectors), which is 4 KB
A file which is 10,000 bytes will be allocated 12 KB – 3 sectors.
Different Sizes
From this it can be seen that a file has two different sizes, the logical file size the actual size of the file and the physical file size, the size given to the file on the hard drive.
The physical file size is always greater than or equal to the logical file size (ignoring resident data for the moment).
File Slack
File slack is the difference between the physical file size and logical file size.
E.g for a 5000 byte file, which is given 2 clusters (8192 bytes), the file slack will be 8192 – 5000, which is 3192 bytes. The file slack should always be less than 1 cluster (4096 bytes).
As file slack is literally the space on the hard drive between the logical and physical file size, it means that anything that was in that space before become file slack. As a new file is created by overwriting unallocated space (even if it means deleting a file immediately before the request to write) this means that file slack is essentially old fragments of unallocated file space (RAM slack is not being discussed at this point).
This means that file slack can contain anything at all, from fragments of web pages, emails, and even complete small pictures, to junk text. It is more often than not the latter, however complete EML files, and thumbnail pictures have been recovered than can prove an entire case.
Below is a video showing file slack, using EnCase 6.10. Encase is better at viewing this type of data than FTK.
Below are the principles that computer forensic experts in both the police and private sector follow, these come from the ACPO Guidelines.
These principles cover the imaging of the hard drives.
Principle 1: No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court.
Principle 2: In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
Principle 3: An audit trail or other record of all processes applied to computer based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
Principle 4: The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to.
Part 35 of the Civil Procedure Rules defines how an expert witness (e.g computer forensics expert) should give evidence in court, produce reports, and what evidence should be given for civil cases
