Forensics: RAM Slack and File Slack

What is the difference between RAM slack and file slack?

Slack, in general, refers to the difference between the logical file size and physical file size.  However slack can be broken down into two different areas, RAM slack and File Slack. 

RAM slack is the slack between the end of the logical file and the rest of that sector. File Slack is the remaining sectors to the end of the cluster. To put it another way RAM slack is the slack at the byte and sector level. File slack is the sectors to the cluster level.


On an NTFS drive with with 512 byte sectors, and 8 sectors per cluster the size of a cluster is 4096 bytes. If a file is 5100 bytes long, this means that there 3092 bytes of slack, this is broken down into 20 bytes of RAM slack and 3072 bytes of file slack (or 6 sectors).

The reason is this:

The file is 5100 bytes which is 9 sectors. But the NTFS file system works on clusters not sectors, therefore the file will be assigned 2 clusters. The first cluster (8 sectors) will be completed filled by the first file, however the second cluster will only contain 1004 bytes of the file (4096+1004 = 5100). 

This means that the first sector (512 bytes) of the second cluster will be completely filled  with the file, but the second sector of the second cluster will only contain 492 bytes. The space at the end of the second sector on the second cluster is known as RAM slack, and is a dump from the RAM, in this case its just 20  bytes (492+20 = 512).

After that there are 6 more sectors to the end of the cluster (the file is assigned two clusters, 16 sectors in total). The 6 sectors remaining are known as file slack.

RAM slack, is therefore very small amounts of data, a maximum of 511 bytes. File slack as the potential to be bigger, but is still small. The maximum size of file slack, assuming a cluster size of 8 sectors, is  7 sectors or 3,584.


RAM Slack does not exist on a modern version of Windows, and has not done for some time.


