Forensics: What is RAM Slack?

RAM Slack is data between the end of a logical file and the a sector. (NOT the cluster). A sector, on a standard hard drive takes up 512 bytes, if the last logical sector in the file takes up 400 bytes, the 112 bytes remaining will be RAM slack. Traditionally this space would be filled by a partial dump from the RAM, e.g. 112 bytes of RAM memory would be used to fill this space.

File slack is from the last logical sector of the file to the last physical sector in the cluster.

RAM is no longer relevant to most modern Windows PCs as RAM no contains zeros rather than data from the RAM, i.e there are no forensic artifacts that can be found in RAM slack any more, for Windows systems.

Related Article:

What is Slack

Whats the difference between RAM Slack and File Slack

Advertisements

One Response to “Forensics: What is RAM Slack?”

  1. What is File Slack « Data - Where is it? Says:

    […] slack is slightly different to RAM Slack Possibly related posts: (automatically generated)Forensics: RAM Slack and File SlackMany Books to […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: