0

I just read about slack space which is the unused space at the end of a sector. This space is unused in some sectors when either the file itself is smaller then the sector or the sector contains the end of a file, which is likely to not fill the sector completely.

It seems to be a good practice to inspect the slack space of a filesystem too. It might contain data left from overwritten files or even data hidden there on purpose.

I understand the theoretical value of this but I am very sceptical if this practice will come up with any really useful results. Am I missing something or is the probability of success really just a matter of luck?

davidb
  • 4,285
  • 3
  • 19
  • 31
  • 1
    `It seems to be a good practice to inspect the slack space of a filesystem too` - Can you clarify this? When is it good practice to do such? Do you have a reference? – Neil Smithline Dec 28 '15 at 01:46

2 Answers2

2

This doesn't have a definitive answer.

It depends on what the workstation is used for, what information is stored in the slack space, how much data overwrites valuable information before you get to it, and even what you consider valuable information.

During forensic analysis, you always read and analyse the entire filesystem, because sometimes you will have useful data, but you really only stand a chance of finding recent data on an HDD.

On an SSD, as @NeilSmithline commented, things are a little different, as writes aren't to the same location - overwriting doesn't happen in the same way: wear-balancing moves write areas across the addressable space on the SSD, so forensic analysis can turn up a lot more consistent data. Given time though, you'll still lose data of interest, so time is always considered of the essence.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
0

Analysis and doing searches of slack space is definitely part of forensic best practice but it is a messy analysis. During Forensic Analysis there are lot of factors on what will be located in slack space OS type, workstation usage, and time. Admittedly forensics requires a lot of luck and creativity but taking a look at slack is important as it may be the last place of remaining evidence on the disk. If you are looking for a deleted virtual machine file 3 months after its been deleted you may be out of luck the computer probably reused that space but finding the a fragment of a vm snapshot or system info files may provide the information you need. Because the data is not in a file structure anymore and evidence could easily wiped its frustrating but should not be ignored if your doing forensic image analysis.

Escher
  • 11
  • 1