Slack, is briefly described as the “spare bit” at the end of the file – its the difference between the logical and physical file size.
An MFT entry is allotted a fixed space of 1024 bytes, as standard. If the MFT entry is less than 1024 bytes, e.g 1000 bytes, the remaining bytes are MFT slack. The contents of this MFT slack will depend, as with file slack, on what was there before it.
Commonly the MFT slack contains the contents of the MFT entry before it was created, this can be particularly interesting for computer forensic examiners if there was resident data.
A password list text file 200 bytes long would be resident within the MFT. If the text file was deleted and a new MFT entry created in its place, with not resident data, e.g. a PST file, then the resident data from the text file would remain as file slack. This means that a detailed examination would reveal the old password list, even though it had been deleted and long gone.
Its hard to identify MFT slack as slack as tools like FTK and EnCase do not show it as slack, and as its within the MFT itself, which can look complex enough. For this reason identifying slack from the MFT entry can be difficult. Therefore caution must be taken when assigning data within the MFT to a particular file or user.