Disk DriveWith increasing data storage sizes comes waste.  In the Digital Forensics (AKA Computer Forensics) industry, this waste is called slack.  Early in the home computer, IBM PC & Macintosh world, the trend moved from floppy disks to hard drives.  In 1980, my first PC had a 20 MB hard drive, and some companies had hard drives up to 1 GB in size.  Today, I have an 8 TB hard drive, which is 400,000 times the size of my first hard drive.  The larger the drive, the larger the sector size becomes, in order to keep the indexing metSectors on platterhods compatible with legacy hard drive formatting.  My original hard drive had 512 byte sectors.  Now, 4 KB to 64 KB sectors are common.  For beginners, a sector is the smallest data block size used for disk storage.  A cluster contains multiple sectors, a partition contains many clusters, and a hard drive contains one or more partition(s).

File System Slack

There are typically a few sectors left at the end of a hard drive, that don’t add up to enough to make a cluster.  In the 70’s, with the lower density circular disks and platters, the engineers crammed as much data storage as they could on to the shape of the storage media.  While the total storage capacity used up every bit of the round media, it didn’t add up to a total that was evenly divisible by the logical structures used by the hard drive or floppy drive’s controller.  This should only amount to a few sectors in size.  Some people call this Disk Slack.

Slack Space DiagramVolume Slack

After a hard drive is divided up into partition(s), there may be some clusters left unused.  This slack space can be very large, if the user is anticipating the creation of another future partition, or if they are intentionally creating a hidden space to hide data in.  In this context, a disk volume is a representation of the entire hard drive, to the computer system.

Partition Slack

A partition is created to a specified size in sectors, that may not add up to an evenly divisible number of clusters.  The few sectors left over are slack space.  This should only amount to a few sectors in size.

File Slack

Storage space, after the data in a file, that fills the remaining capacity of the file’s last cluster.  These bytes include the RAM Slack followed by the Drive Slack.  This extra space is included in the file’s “physical” size, and not in its “logical” size.  For example, if a 2KB file is stored on adisk with 4KB sectors and 16KB clusters, then the RAM Slack is 2KB (to complete the first sector’s 4KB) and the Drive Slack is 12KB (to complete the cluster’s 16KB).  Some people call this Disk Slack.

RAM Slack

When a file’s size leaves an incomplete sector, that last occupied sector needs to be completed in order to be written.  Disk controllers write data to the disk in one or more sectors or clusters at a time.  In the 80’s, the Microsoft/Personal Computer Disk Operating System (MS/PC DOS) grabbed the remaining bytes, to complete a sector, from RAM (MS Windows 95a and earlier).  That is how this slack became known as RAM Slack.  In today’s operating systems (MS Windows 95b and later), this potential data leakage threat has been resolved by filling the remaining bytes with zeros.  So, there is no value in collecting RAM slack, unless you are working with extremely old hard drives.

Drive Slack

SSD(AKA Cluster Slack, Residual Slack)  When a file’s size leaves some unoccupied sectors in its final cluster, those remaining sectors typically aren’t overwritten.  If a different file’s data, that was previously lost or deleted, is in those sectors on the drive, then they are now protected from deletion as a new addition to the clusters marked for the newly written file.  This slack has the potential for investigators being able to recover data from the past, along with file carving the unused disk space on the drive.  Solid State Drives (SSD) may not retain any Drive Slack, depending on their garbage collection setting.  Some people call this Disk Slack.

Object Slack

Stream SlackEach file format uses its own structure for storing blocks of data, which we universally refer to as Objects.  Some file formats reserve more bytes than are needed for objects.  For example, chunk based file types often require objects to be a size that is a multiple of 4 bytes.  If an object ends up being 10 bytes, then it is padded with trailing zeros to 12 bytes, which makes it end on a 4 byte multiple.  Depending on the naming convention used in a file type, this slack may be named something else, like “Stream Slack”.  This “FI Object Explorer” partial screen shot exhibits one of the file viewers that will be included in our upcoming Dark Data Detective product.

Field Slack

Each object type uses its own structure for storing smaller blocks of data, which we universally refer to as Fields.  Some file formats reserve more bytes than are needed for fields.  For example, a text string may be 16 bytes long plus an additional trailing zero.  The file format may reserve 32 bytes for that string.  In that case, 15 bytes are wasted as field slack.

With different disk formats comes additional types of more specific slack spaces.  Slack space isn’t the only place that data can be hidden.  This post is intended to inform on the basics, and is not intended to be a complete reference on the topic.  Please click on the image links to find further reading on each topic.

At Forensic Innovations, we don’t yet handle slack space outside of each file.  Instead, we focus on what we are best at, and research the many types of objects that occur within each file type.  It’s like focusing on the cells in a body, rather than the body as a whole.  We’re researchers, not doctors.

Slack Space
Tagged on:                                                                                                                                             

Leave a Reply