I just read about slack space which is the unused space at the end of a sector. This space is unused in some sectors when either the file itself is smaller then the sector or the sector contains the end of a file, which is likely to not fill the sector completely.
It seems to be a good practice to inspect the slack space of a filesystem too. It might contain data left from overwritten files or even data hidden there on purpose.
I understand the theoretical value of this but I am very sceptical if this practice will come up with any really useful results. Am I missing something or is the probability of success really just a matter of luck?