Is the unused space between the end of the actual file and the end of the the?

RAM Slack is data between the end of a logical file and the a sector. (NOT the cluster). A sector, on a standard hard drive takes up 512 bytes, if the last logical sector in the file takes up 400 bytes, the 112 bytes remaining will be RAM slack. Traditionally this space would be filled by a partial dump from the RAM, e.g. 112 bytes of RAM memory would be used to fill this space.

File slack is from the last logical sector of the file to the last physical sector in the cluster.

RAM is no longer relevant to most modern Windows PCs as RAM no contains zeros rather than data from the RAM, i.e there are no forensic artifacts that can be found in RAM slack any more, for Windows systems.

Related Article:

What is Slack

Whats the difference between RAM Slack and File Slack

Posted in 0 - Forensics. Tags: 0 - Forensics, File Slack, RAM Slack, Slack.

Forensics: RAM Slack and File Slack

What is the difference between RAM slack and file slack?

Slack, in general, refers to the difference between the logical file size and physical file size.  However slack can be broken down into two different areas, RAM slack and File Slack. 

RAM slack is the slack between the end of the logical file and the rest of that sector. File Slack is the remaining sectors to the end of the cluster. To put it another way RAM slack is the slack at the byte and sector level. File slack is the sectors to the cluster level.

Example

On an NTFS drive with with 512 byte sectors, and 8 sectors per cluster the size of a cluster is 4096 bytes. If a file is 5100 bytes long, this means that there 3092 bytes of slack, this is broken down into 20 bytes of RAM slack and 3072 bytes of file slack (or 6 sectors).

The reason is this:

The file is 5100 bytes which is 9 sectors. But the NTFS file system works on clusters not sectors, therefore the file will be assigned 2 clusters. The first cluster (8 sectors) will be completed filled by the first file, however the second cluster will only contain 1004 bytes of the file (4096+1004 = 5100). 

This means that the first sector (512 bytes) of the second cluster will be completely filled  with the file, but the second sector of the second cluster will only contain 492 bytes. The space at the end of the second sector on the second cluster is known as RAM slack, and is a dump from the RAM, in this case its just 20  bytes (492+20 = 512).

After that there are 6 more sectors to the end of the cluster (the file is assigned two clusters, 16 sectors in total). The 6 sectors remaining are known as file slack.

RAM slack, is therefore very small amounts of data, a maximum of 511 bytes. File slack as the potential to be bigger, but is still small. The maximum size of file slack, assuming a cluster size of 8 sectors, is  7 sectors or 3,584.

Note:

RAM Slack does not exist on a modern version of Windows, and has not done for some time.

Posted in 0 - Forensics, File Systems. Tags: 0 - Forensics, File Slack, RAM Slack, Slack.

Forensics: Physical and Logical Size

What is the difference between the physical and logical size shown in Encase/FTK?

All files have a physical and logical size, often the physical size is larger than the logical size, sometimes it is equal to it. But the logical size should never be greater than the physical size, otherwise there is corruption on the file system or something unusual is occurring.

The physical size of a file, is dictated by the minimum number of whole clusters a file needs. e.g If 6 KB file that takes up 1.5 clusters (one cluster = 4kb in this case), it needs 2 clusters for its physical size, and two clusters are 8 KB, therefore the physical size is 8 KB.  Its a bit like transporting people. Whats the minimum number of London Taxis you need to move 6 people? 1.5, but you can’t actually order half a cab, you need 2 cabs, therefore the physical space required to carry 6 people is 8 spaces.

The logical size is how big the file actually is,  in this case 6 kb, the actual size of the file. The difference between the two sizes is known as “file slack“.

For more detailed information on this,  the following articles may be useful:

Video demonstrating file slack.

Clusters

Sectors

What is File Slack

Posted in 0 - Forensics, File Systems. Tags: 0 - Forensics, computer forensics, File Slack, Logical Size, Physical Size.

What is File Slack?

What is File Slack?

This article looks at file slack, where it is, how to find it, and includes a video guide of how to view this data in EnCase 6.10

Requirements

To understand File Slack, one must first understand the basic concepts of Cluster and Sectors.

This article is based on the assumption that the reader understands these concepts. It is also written with the assumption that the hardware under consideration is a standard windows hard drive, with sector size of 512 and a cluster size of 8 sectors.

Clusters and Sectors

As the operating system can only address clusters, rather than sectors which hard drives can, it means that files are stored on a hard drive in units of clusters and not sectors.

Examples:

A 5000 byte file, takes up 9 sectors, however the operating system will allocate the file 2 clusters (16 sectors, 2*8 sectors), as it does not fit into 1 sector. 2 Sectors is 8 KB ( 2*4KB)

A 2500 byte file will fit into 5 sectors, however the operating system will allocate the file 1 full cluster (8 sectors), which is 4 KB

A file which is 10,000 bytes will be allocated 12 KB – 3 sectors.

Different Sizes

From this it can be seen that a file has two different sizes, the logical file size the actual size of the file and the physical file size, the size given to the file on the hard drive.

The physical file size is always greater than or equal to the logical file size (ignoring resident data for the moment).

File Slack

File slack is the difference between the physical file size and logical file size.

E.g for a 5000 byte file, which is given 2 clusters (8192 bytes), the file slack will be 8192 – 5000, which is 3192 bytes. The file slack should always be less than 1 cluster (4096 bytes).

As file slack is literally the space on the hard drive between the logical and physical file size, it means that anything that was in that space before become file slack. As a new file is created by overwriting unallocated space (even if it means deleting a file immediately before the request to write) this means that file slack is essentially old fragments of unallocated file space (RAM slack is not being discussed at this point).

This means that file slack can contain anything at all, from fragments of web pages, emails, and even complete small pictures, to junk text. It is more often than not the latter, however complete EML files, and thumbnail pictures have been recovered than can prove an entire case.

Below is a video showing file slack, using EnCase 6.10. Encase is currently better at viewing this type of data than FTK.

Posted in EnCase, File Systems, Video Guides. Tags: computer forensics, EnCase, File Slack, File Systems, forensics, NTFS, Video.

What is File Slack

What is File Slack?

This article looks at file slack, where it is, how to find it? Below is a video guide of how to view slack data in EnCase 6.10. For  more detailed information on File Slack see this article

Requirements

To understand File Slack, one must first understand the basic concepts of Cluster and Sectors.

File Slack

File slack, in short is what the name implies; it is the “slack”/ the spare bit at the end of a file.

Technically it is the difference between the physical file size and logical file size. The physical size is always the same or greater than the logical size. If the physical size is greater in size than the logical file then the spare data between between the logical and physical file is known as “slack”.

File slack is slightly different to RAM Slack

Posted in 0 - Forensics, EnCase, Guides, UK Law. Tags: 0 - Forensics, computer forensics, EnCase, File Slack, Slack.

Is the unused space between the logical end of a file and the physical end of a file?

What is the name of the unused space that is created between the end of a file and the end of the last data cluster assigned to the file?

Is composed of the unused space in a cluster between the end of an active file's content and the end of the cluster?

Is unallocated space the same as slack space?