Sunday, 18 March 2012

Slack Space

Slack space is the unused space between the end of the actual file and the end of the the defined data unit (cluster).cluster is the smallest unit of storage that the operating system can deal with.

For example, assume that the OS uses a 4k cluster and 512 byte sector, meaning it writes data in 4k increments made up of eight 512 byte sectors, regardless of the actual size of the file being written. This means that if a 2000 byte file were written to this cluster the remaining 2096 bytes would be slack. Within this slack space there are two areas to consider – the first is that between the end of the actual file and the sector in which the file ends, and the second is the remaining sectors in the cluster that contain no data as depicted below.



In the example above, we see that the file will write 3 complete sectors and partially fill the fourth sector, leaving the remaining sectors in the cluster unchanged. The first area of slack, sometimes referred to as RAM slack, is padded with data as determined by the OS. The activity that occurs on the remaining area is also OS dependent but can either be untouched or wiped. In cases where the OS does not wipe the unused sectors, there will be remnants of the previous file that existed. The impact of this depends on what the contents of the previous file were. As an example, assume that it was a large file containing a list of customers and their personal information. An analysis of the slack space in this case could uncover a portion of this list and expose sensitive information. Another risk presented by slack space is its ability to hide data from the OS and/or host application and the fact that a number of tools exist to allow such activities.

No comments:

Post a Comment