by Chetan Gupta, NII Consulting
A small experiment…Create a new text file. Edit it using Notepad and type “Hello” in it. save and exit the editor. Right click the file and check its properties. Did you notice the two attributes “Size” and “Size on disk”. It looks something like this on my Windows XP system
Size: 5 bytes (5 bytes)
Size on disk: 4.00 KB (4,096 bytes)
Have you ever wondered why this difference? If the size of file contents is only 5 bytes, why are the remaining bytes assigned to the file? Do they serve any purpose? Well, atleast not to any average user of computer systems!
This is one thing that many people are confused about and forensic investigators like me are happy about!
The answer lies in the understanding of a simple jargon called “slack”. Associate the terms file, RAM and Drive with it, it becomes even more confusing!
All these terms look so similar yet understanding and appreciating the difference between them could be daunting task at times! Ill try to simplify the terms as much as possible.
File Slack
File sizes vary! Ok everybody knows that. But what may not be very widely known fact is that to store files, the filesystem uses fixed sized containers or blocks called Clusters. Clusters are nothing but groups of sectors which are used to allocate the disk storage space in Microsoft Operating Systems . So, any new file is assigned a number of clusters such that
file size <= no of clusters * size of a single cluster
Quite obviously, file sizes rarely match the size of one or multiple clusters perfectly. So what happens is that a small space is left between the end of the file contents and the end of the last cluster allocated to it. This space is called File Slack. File Slack is created at the time a file is saved to disk. File slack can be broken down into RAM Slack and Drive Slack. Let us define these two terms in detail.
RAM Slack
Lets add a little twist to the whole thing! Microsoft Windows based systems normally write in 512 byte blocks called Sectors. That means whenever the OS wishes to write to the file system, it would write in chunks of 512 bytes with a minimum of atleast 512 bytes. So, if there is not enough data to fill the last sector in the last cluster, the OS innocently writes random data from memory (RAM) to the unfilled area in the last sector. What if that area of memory contained something sensitive such as password for an encrypted disk or partition which had been mounted sometime in the past! The investigator in me is not complaining!
This area which is filled by the random data from the RAM is called RAM Slack.
Drive Slack
RAM slack pertains only to the last sector of a file. What about the remaining sectors which are a part of the last cluster assigned to the file but not filled with any file data. The OS doesnt take further pains like it did with the last sector to be written with file data. Instead it doesnt write anything to the remaining sectors of the cluster. The result? Whatever was stored on that area of the disk remains there and could contain remnants of previously deleted files or the pattern which should be there if the disk is fresh and being used for the first time or even the data which existed before the last format!
Welcome to the world of Drive Slack!
From a computer forensic viewpoint, file slack is very important as both a source of computer evidence and investigative leads. File slack can also be analyzed to identify prior uses of the subject computer and could contain fragments of email messages, word processing documents and any other sensitive data which may help nail the culprit!
Cyber criminals beware!
I hope I did manage to simplify the mystery to some extent!
Happy forensics!
