File Slack Vs RAM Slack Vs Drive Slack

by Chetan Gupta, NII Consulting

A small experiment…Create a new text file. Edit it using Notepad and type “Hello” in it. save and exit the editor. Right click the file and check its properties. Did you notice the two attributes “Size” and “Size on disk”. It looks something like this on my Windows XP system

Size: 5 bytes (5 bytes)

Size on disk: 4.00 KB (4,096 bytes)

Have you ever wondered why this difference? If the size of file contents is only 5 bytes, why are the remaining bytes assigned to the file? Do they serve any purpose? Well, atleast not to any average user of computer systems!

This is one thing that many people are confused about and forensic investigators like me are happy about!

The answer lies in the understanding of a simple jargon called “slack”. Associate the terms file, RAM and Drive with it, it becomes even more confusing!

All these terms look so similar yet understanding and appreciating the difference between them could be daunting task at times! Ill try to simplify the terms as much as possible.

File Slack

File sizes vary! Ok everybody knows that. But what may not be very widely known fact is that to store files, the filesystem uses fixed sized containers or blocks called Clusters. Clusters are nothing but groups of sectors which are used to allocate the disk storage space in Microsoft Operating Systems . So, any new file is assigned a number of clusters such that

file size <= no of clusters * size of a single cluster Quite obviously, file sizes rarely match the size of one or multiple clusters perfectly. So what happens is that a small space is left between the end of the file contents and the end of the last cluster allocated to it. This space is called File Slack. File Slack is created at the time a file is saved to disk. File slack can be broken down into RAM Slack and Drive Slack. Let us define these two terms in detail.
RAM Slack

Lets add a little twist to the whole thing! Microsoft Windows based systems normally write in 512 byte blocks called Sectors. That means whenever the OS wishes to write to the file system, it would write in chunks of 512 bytes with a minimum of atleast 512 bytes. So, if there is not enough data to fill the last sector in the last cluster, the OS innocently writes random data from memory (RAM) to the unfilled area in the last sector. What if that area of memory contained something sensitive such as password for an encrypted disk or partition which had been mounted sometime in the past! The investigator in me is not complaining!

This area which is filled by the random data from the RAM is called RAM Slack.

Drive Slack

RAM slack pertains only to the last sector of a file. What about the remaining sectors which are a part of the last cluster assigned to the file but not filled with any file data. The OS doesnt take further pains like it did with the last sector to be written with file data. Instead it doesnt write anything to the remaining sectors of the cluster. The result? Whatever was stored on that area of the disk remains there and could contain remnants of previously deleted files or the pattern which should be there if the disk is fresh and being used for the first time or even the data which existed before the last format!
Welcome to the world of Drive Slack!

From a computer forensic viewpoint, file slack is very important as both a source of computer evidence and investigative leads. File slack can also be analyzed to identify prior uses of the subject computer and could contain fragments of email messages, word processing documents and any other sensitive data which may help nail the culprit!
Cyber criminals beware!

I hope I did manage to simplify the mystery to some extent!

Happy forensics!

Author


12 comments

Fantastic Article!!!! Superb! Modifying the chunk size is very easy in case of linux. Please tell how to play with chunk sizes in Windows operating system.

Very Nice!.. A Very Basic Topic, yet ESSENTIAL in forensics, put forth in a nice simple way..

Rob

It is important to note that RAM Slack on a Windows system does NOT write data from memory in current OSes and hasn’t since the release of Windows NT. Instead Windows simply pads out the end of the sector with 0s.

Also, the definition given for “Drive Slack” is actually the term most often associated with the term “File Slack”. Drive Slack is not an expression normally used. File Slack is located in the unused sectors at the end of the cluster.

Well gud one…. But i think in windows the size of file is also depends on the Cluster size,which is nothing but number of sectors per cluster.For example in Windows Xp default cluster size is 4K which means that 8 sectors per cluster…that’s why when we r creating any file then minimum size of disk is 4K…

Excellent explanation. This is always something that I’ve had a hard time understanding. Now it makes perfect sense.

Explained in a simple and humorous way independent of all the intimidating technical jargon!!!

[…] File Slack Vs RAM Slack Vs Drive Slack Publicado em Quiz. Tags: cluster, file slack, qr code, slack space. Deixar um comentário » […]

very helpful

Excellent explaination

very nice article

I never leave comments except for when I come across an exceptionally intelligent piece that is well-written, accurate, and easy for us without intense prior knowledge to understand. Thank you for your contribution to help those like me increase our understanding of the underlying concepts surrounding computer forensics.

Leave a Reply

Your email address will not be published. Required fields are marked *