Forensics: MFT Slack

The MFT can have slack, though it is slightly different to file slack. As the slack is within the MFT, rather than the end.

Slack, is briefly described as the “spare bit” at the end of the file – its the difference between the logical and physical file size.

An MFT entry is allotted a fixed space of  1024 bytes, as standard. If the MFT entry is less than 1024 bytes, e.g 1000 bytes, the remaining bytes are MFT slack. The contents of this MFT slack will depend, as with file slack, on what was there before it.

Commonly the MFT slack contains the contents of the MFT entry before it was created, this can be particularly interesting for computer forensic examiners if there was resident data.

Example

A password list text file 200 bytes long would be resident within the MFT. If the text file was deleted and a new MFT entry created in its place, with not resident data, e.g. a PST file, then the resident data from the text file would remain as file slack. This means that a detailed examination would reveal the old password list, even though it had been deleted and long gone.

Note

Its hard to identify MFT slack as slack  as tools like FTK and EnCase do not show it as slack, and as its within the MFT itself, which can look complex enough. For this reason identifying slack from the MFT entry can be difficult. Therefore caution must be taken when assigning data within the MFT to a particular file or user.

Advertisements

3 Responses to “Forensics: MFT Slack”

  1. Forensics: Resident Data « Data - Where is it? Says:

    […] Resident data can be particular interesting computer forensics examiners if the file is deleted and the resident entry then becomes MFT slack […]

  2. Forensics: What is the $MFT? « Data – Where is it? Says:

    […] of the file There are other permutations, where the MFT entry is not 100% over written, leaving MFT file slack. More information on the MFT is available […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: