Slack space on a file system is data that is within allocated clusters, but not actually used. When a file is allocated space on NTFS is normally allocates a number of clusters, and a cluster is often 16 sectors in length. Thus, if a file is say 5K long, then there will be 3K of the cluster which is allocated, but does not contain file information. Also, no user will ever see the contents of this 3K of slack space.
Forensically, slack can be useful as it may contain data from previously deleted files. The data will not be complete but it could conatin between 1 and 8191 bytes of useful (for an 8K cluster). CnW actually has an option to collect these fragments and storfe then in a big file with a header for each length of slack data from each incomplete cluster. It should be noted that slack space will only be found in the final cluster of a file. Thus for a 31K file, there will be 3 complete clusters, and the final cluster will have 1K of slack.
For NTFS, slack space does not stop here. To optimise disk usage, small files are stored after the MFT entry in the 1024 MFT block. The maximum size of file maybe about in the region of 5-600 bytes. Thus when analysing a disk for data in the slack area it is essential to examine each MFT for possible data after the MFT, maybe from previous uses of the block. Again, CnW Recovery has a feature so that all MFTs can store the slack in a specific file, again separating each entry with a header. For more details www.cnwrecovery.com/html/ntfs_forensic.html
No comments:
Post a Comment