What is File Slack?
This article looks at file slack, where it is, how to find it, and includes a video guide of how to view this data in EnCase 6.10
This article is based on the assumption that the reader understands these concepts. It is also written with the assumption that the hardware under consideration is a standard windows hard drive, with sector size of 512 and a cluster size of 8 sectors.
Clusters and Sectors
As the operating system can only address clusters, rather than sectors which hard drives can, it means that files are stored on a hard drive in units of clusters and not sectors.
A 5000 byte file, takes up 9 sectors, however the operating system will allocate the file 2 clusters (16 sectors, 2*8 sectors), as it does not fit into 1 sector. 2 Sectors is 8 KB ( 2*4KB)
A 2500 byte file will fit into 5 sectors, however the operating system will allocate the file 1 full cluster (8 sectors), which is 4 KB
A file which is 10,000 bytes will be allocated 12 KB – 3 sectors.
From this it can be seen that a file has two different sizes, the logical file size the actual size of the file and the physical file size, the size given to the file on the hard drive.
The physical file size is always greater than or equal to the logical file size (ignoring resident data for the moment).
File slack is the difference between the physical file size and logical file size.
E.g for a 5000 byte file, which is given 2 clusters (8192 bytes), the file slack will be 8192 – 5000, which is 3192 bytes. The file slack should always be less than 1 cluster (4096 bytes).
As file slack is literally the space on the hard drive between the logical and physical file size, it means that anything that was in that space before become file slack. As a new file is created by overwriting unallocated space (even if it means deleting a file immediately before the request to write) this means that file slack is essentially old fragments of unallocated file space (RAM slack is not being discussed at this point).
This means that file slack can contain anything at all, from fragments of web pages, emails, and even complete small pictures, to junk text. It is more often than not the latter, however complete EML files, and thumbnail pictures have been recovered than can prove an entire case.
Below is a video showing file slack, using EnCase 6.10. Encase is currently better at viewing this type of data than FTK.