Forensics: What is RAM Slack?

RAM Slack is data between the end of a logical file and the a sector. (NOT the cluster). A sector, on a standard hard drive takes up 512 bytes, if the last logical sector in the file takes up 400 bytes, the 112 bytes remaining will be RAM slack. Traditionally this space would be filled by a partial dump from the RAM, e.g. 112 bytes of RAM memory would be used to fill this space.

File slack is from the last logical sector of the file to the last physical sector in the cluster.

RAM is no longer relevant to most modern Windows PCs as RAM no contains zeros rather than data from the RAM, i.e there are no forensic artifacts that can be found in RAM slack any more, for Windows systems.

