The slack-space is an unused storage space that could potentially contain some of the juicy information when analysed. Every hard disk drive consists of circular storage disks called platters. These platters have logical segments called sectors of a particular size which stores the data. If the file size is less than the size of the allocated sector, then the remaining unused space becomes the “Slack space”.
When the data stored in that sector is deleted, the sector only reallocates that space to a new data to occupy. If the new data copied to the same sector space is less than the previous data, then the difference between the old data and the new data will become the leftover slack-space which will still hold the old data until a new data of same size requests a reallocation. For instance, let us consider a new hard-drive of 1TB with “file allocation size” 512MB. Now assuming a file of 1024MB is to be stored, the HDD uses two blocks of 512MB each. If this file is to be deleted and a new file is added, the same space would actually be reused/reallocated. However, if the new file is lesser in size than the former – say 500MB – then there is an unused space of 12MB in that block of sector which is now the slack-space!
The major advantage of slack space in digital forensics is that it helps in extracting some fragments of sensitive/vital information which becomes a predominant evidence in the case of investigation. However, this is not directly accessible by end users and forensic investigators make use of sophisticated tools and techniques to extract such pieces of evidence.
There are several tools available which can be used to delete these temp files, slack spaces from the storage drive such that it becomes almost impossible to retrieve data from slack spaces. Also, over-writing of the slack space wherein multiple files are used to perform a series of create, delete & replace actions which reaches a threshold where the previously deleted sensitive file cannot be reassembled or recovered. Furthermore, the best practice to delete any sensitive file or folder is to perform file-shredding so that the data cannot be reassembled.
Thanks for the read! 🙂
Tech Dumpster 