File Slack and Appl...
 
Notifications
Clear all

File Slack and Application

3 Posts
3 Users
0 Likes
344 Views
(@ad3161)
Posts: 2
New Member
Topic starter
 

A general question about file slack.

How does an application "know" not to include the file slack into content when a file is opened?

I know that some files have footers but not all.

Also, when a file is copied how does the OS "know" only to copy the file contents & not the slack space?

 
Posted : 17/01/2015 10:31 pm
PaulSanderson
(@paulsanderson)
Posts: 651
Honorable Member
 

Because a file has a size - and all bytes up to the size of the file are part of it - any other bytes after the end of the file, but included in the sectors allocated to the file, are slack.

 
Posted : 18/01/2015 3:25 am
(@athulin)
Posts: 1156
Noble Member
 

How does an application "know" not to include the file slack into content when a file is opened?

It doesn't. The operating does all that for the application. Typically, the application opens the file, and then reads repeatedly from it until the read operation fails when the end of the file has been reached (and the operating system detects when that happens). If the application ignores that and continues to read, it's up to the operating system to ensure that that doesn't leak information. Early operating systems were bad at this.

If you know what a file is – an ordered sequence of data with specific content (and thus, with a definite length) – you'll see that that definition doesn't have anything like 'file slack'.

File slack happens … so to speak 'below' the system level that files exist on. It's part of how files are implemented on sector-structured storage units the last sector allocated to the file will often be different from the others in that not all bytes in it will be part of the actual file contents.

There are situations in which the application needs to be aware of special end-of-file conditions, but they're usually old and outdated. In DOS times, the byte 0x1A (control-Z) was used by some application to indicate that there was no more significant content in the file from that point on. (Typically text files.) A situation similar to file slack, but not the same. If the application operating on such a file didn't follow that convention, strange things happened at the end of those files.

Also, when a file is copied how does the OS "know" only to copy the file contents & not the slack space?

You seem to be thinking that file length is the number of sectors (or clusters) allocated to the file, i.e. you are looking at how files are implemented.

But files are more abstract than that – they should be independent of how they are stored. A file is better viewed as a specific sequence of bytes. (That implies that a file also has a specific length.)

So how do you know what length a particular file has? That depends on the file system used, but is as far as I can recall always stored in some kind of file control block. Thus, the operating system does know exactly how long the file is (or more exactly, the file system part of the operating system). Every write to the file is checked – if it changes the length of the file, then that's recorded in the file control block.
(On Windows / NTFS, those are called MFT records. Other file systems have other names for them.)

This kind of question is often best answered by learning programming. Second best is to learn the details of some file system. If you haven't read Brian Carrier's book File System Forensic Analysis, do so. You'll find most of all questions you could think of regarding files and file systems answered somewhere in that book. (Not all – most.)

 
Posted : 18/01/2015 12:23 pm
Share: