2

I'm using Autopsy and need to recover a hidden password inside a slack space in another file.

Autopsy shows that each sector for my disk is 512 bytes. The file starts at 4365 of the sector and the file is 677 bytes large. Calculating with 4365 sectors * 512 bytes / sector + 677 bytes = 2,235,557 which should be where my slack space is.

My file that I need to look through doesn't have that big of an offset, and the $Unalloc file has nothing shown when I go to offset 2,235,557.

I'm not sure where I'm supposed to look, the actual existing file, or the $Unalloc file that has deleted contents which has the offset I'm looking for, but has nothing but 0's on that offset.

schroeder
  • 123,438
  • 55
  • 284
  • 319
hicu0
  • 21
  • 1
  • 2

1 Answers1

2

I'm not sure but do you know that file slack is the difference between the physical file size and the logical file size ?

Assuming you are investigating a standard Windows PC with a standard hard drive, and giving the sector size you gave, the cluster size should be of 8 sectors which is 4Kb.

Your file is 677 bytes which means its given 4096 bytes of space (which is 1 cluster or the smallest unit that can be handled by your file system) this means that the difference between the end of your logical file (677bytes) and the end of the physical size given (4096 bytes) is your slack.

Check this link out it may help : Analysis of hidden data in the NTFS file system

Soufiane Tahiri
  • 2,667
  • 12
  • 27