Unallocated and Slack

With most disk operating systems there are areas of the disk that are not normally read by the file system, but at times they do contain useful information, in particular as part of a forensic investigation

The two main areas often investigated are Unallocated Space, and Slack Space.

Unallocated space is fairly obvious, in that it is spare space on the disk that could be used for files.  The interest in the space, is that it is also space that could have been used for files that have since been deleted, or left over from a previous incarnation of the disk.

Slack space is slightly more complex. An operating system always works in fixed chunks of data, often called clusters.  This may be a single sector, but often is a series of sectors, and many typical clusters can be 4K, or up to 64K in length.  When a file is written, space can only be allocated in clusters, so there is normally spare space at the end of a file in the final cluster.  As an example, if the cluster size is 32K, and a file 41K is written, then 64K of space will be allocated to the file.  41K will be data, and 23K will be slack space.  The contents of the slack space are not defined, but may often include previous data that was on the disk before the file was written. 

NTFS disks have an additional twist to slack space. Short files can be stored within the 1K directory entry, and so it is possible to have space at the end of a directory entry that may contain previous short files, or partially overwritten files. CW can recover this data for later forensic style examination if required.

When doing disk recoveries, CnW can optionally save the slack space as individual files.  In a similar way, unallocated space can also be saved, and attempts are made to define the type of data found in the unallocated space.  Thus an old picture may be saved with a .jpg extension if the start of the file conforms with a JPG file

 

CnW Recovery  Lewes East Sussex  UK

[CnW Recovery] [Services] [Lost photos] [Technical notes] [Disk Image] [Erased DVD-RW] [DVD Recovery] [Lost Video disks] [GoPro Recovery] [Erased CD-RW] [Drive recovery] [Deleted files] [Zip disk drive] [Jaz Drive] [CD Recovery] [Forensics] [File dates] [UDF disks] [FAT Disks] [NTFS disks] [RAID Recovery] [Prevention] [ISO9660 disks] [MD5 hash] [File signatures] [Flash memory] [Boot sector] [Unallocated] [Raw recovery] [Encrypted Files] [File selection] [Mac Recovery] [NTFS reloaded] [Defrag progs] [Failed  chips] [3GP and MP4] [Formatted Video] [Price guide] [Online Payments] [FAQ Disks] [FAQ CD & DVD] [FAQ Memory] [Send Job] [Useful Links] [PC repairs] [Contact Us] [Site map] [About Us]