±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 0
New Yesterday: 7
Overall: 27509
Visitors: 64

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Volume slack vs file system slack; confusing definition

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2, 3, 4, 5, 6, 7  Next 
  

Volume slack vs file system slack; confusing definition

Post Posted: Thu Jul 12, 2012 1:09 am

Hi all,

Can you clearly understand the difference between "volume slack" and "file system slack"?

I have come accross the following definitions on the internet, which says;
"...Volume slack is the unused space between the end of file system and end of the partition where the file
system resides. File system slack, is the unused space in the end of a file system that is not allocated to any cluster..."

I understand file system slack clearly. It makes sense easily as it is mathematical, however, volume slack's definition is not clear. The definition says "unused space between the end of file system and end of the partition where the file system resides. That does not tell about why it exists. Where does it come from? What is it that cause volume slack to emerge?

Can you make a clearer differentiation?

Regards,  

yunus
Senior Member
 
 
  

Re: Volume slack vs file system slack; confusing definition

Post Posted: Thu Jul 12, 2012 3:46 am

- yunus
"...Volume slack is the unused space between the end of file system and end of the partition where the file system resides.


That seems clear enough. If the granularity of the partition and the file system are different, there will be space in the partition that the file system cannot utilize. That's what I personally would call 'partition slack' -- -- space in a partition that isn't used by whatever structure the partition contains.

The term 'volume slack' hints at Carrier being the possible source of this definition -- and indeed, on p. 178 in 'File System Forensic Analysis', I find a definition that covers it.

However, I also find (in Vacca: System Forensics, Investigation and Response, p. 86), a different definition, in which 'volume slack is the space that remains on a hard drive if the partitions do not use all the available space'. (But perhaps Vacca defines 'volume' in some new way?)


File system slack, is the unused space in the end of a file system that is not allocated to any cluster..."


That seems to presuppose a file system that has a explicit or implicit specification of extent that has a granularity larger than a single sector. (It also seems to make an assumption about where filesystems may place clusters, which doesn't seem to have anything to recommend it.)

The source I think you are referring to also says: "... This happens due to the partition size may not be the multiple of the cluster size (Carrier, 2005). For example, there is 10001 sectors in the partition, there first 10000 sectors are allocated to 2500 clusters with the cluster size of 4 sectors and the last sector left becomes file system slack. '

I suspect a general attack of confusion, possibly brought on by the differences in terminology -- note that this writer does not use 'volume', but 'partition', and also seems to think that clusters are related to partitions instead of file systems, i.e. he appears to have mislaid an entire level in the hierarchy of on-disk structures.


As for the meaning, I suggest you ask the author himself: he might simply have expressed himself unfortunately. Ask him to give an example of a file system / partition conbination which may exhibit this particular form of slack, for example.

(Added: More likley, the definition was not intended to be a general definition, but refer only to NTFS.)  

athulin
Senior Member
 
 
  

Re: Volume slack vs file system slack; confusing definition

Post Posted: Thu Jul 12, 2012 4:31 am

yunus, the definition you found, I presume here:
www.forensicfocus.com/...66/page=2/
is IMHO somewhat misleading lexically, (personally I would call the "Volume slack" "partition slack").

To me Volume and filesystem are the SAME thing (with the exception for "recent" NTFS of the excess copy of the bootsector on last sector).

This latter however helps to clear the idea.

On a normal disk, with only one partition, NTFS formatted, geometry 255/63, you will have this situation:
  • MBR+hidden sectors (let us assume a 2K/XP, these will be 63 sectors)
  • Partition, extending from (say) sector 63 to sector 625121280
  • The partition extends for 625121280-63=625121217 sectors.
But if you look in BPB of the bootsector, you will see how the NTFS volume is 625121216 in size.
This is because there is a (by design) "partition slack" of exactly one sector between the end of the Volume (or filesystem) and this "unindexed anywhere" sector is filled with a backup copy of the first sector of the Volume (or filesystem).

Those that are used to MS tools are somewhat "deceived" by the fact that on disks the FORMAT command is NOT "independent" from the "disk management".
The procedure is:
  1. use FDISK or Disk Management or diskpart to create the partition
  2. a drive letter is assigned to the partition thus created (actually to the unformatted Volume that the partition represents)
  3. the Format command is then run on the drive letter and it "fills" the whole space of the partition (actually unformatted volume) with a filesystem (in the case of NTFS the filesystem is one sector smaller than the space available)
The various "advanced" partition tools that are able to resize partitions also keep the partition size linked to the Volume and to the filesystem, resizing these latter ones accordingly.

But actually nothing prevents you to create a smaller filesystem (or a bigger partition), as an example by creating a partition and volume filesystem "normally" and then manually change the data in the partition table in the MBR to add some sectors to the partition size (i.e. shifting a few sectors it's end).

In this operation the Volume and filesystem data is not touched in the least and you have a number of "slack" sectors after the end of the Volume/filesystem and before the start of the following partition (or the end of the disk).

If you prefer, the entry in the MBR partition table is only saying that from address X to address Y there is "something" (i.e. that that space is "reserved" to "something" and that to know what is the something you should read the data in the first sector of the addressed space).
Once you read that data (filesystem size) you use these latter data only, and you are not going to check if it is exactly the same as the "reserved space" you read before in the MBR.

Think of it as a building Shocked , let's say a six storeys one with 2 flats at each level.
When you build it you buy a nice brass plate for the doorbell pushbuttons nicely aligned in 6 rows by 2 columns.
Then a rich man buys the two top flats and makes a single apartment/penthouse out of them.
You have three possibilities:

  1. you leave everything "as is" and have the two top buttons with two tags to the same name (and connect them to the same single doorbell)
  2. you leave everything "as is" and have the two top buttons one with a name tag connected to the single doorbell and one with a blank tag and the button not connected
  3. you buy a new brass plate with 5 rows with two buttons and the top row with a single button
If you choose #3 you have effectively created an "apartment slack" (or a "flat slack") Wink , or, if you prefer, you have "unindexed" an area of the building.

HTH

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Volume slack vs file system slack; confusing definition

Post Posted: Thu Jul 12, 2012 8:33 pm

@jaclaz
You are right, I think, regarding the cited definitions. But it generally is an unwanted situation and except of those who are faced with the particular problem there should not be many undersized file systems. Someone should rather have an eye on the space between partitions, which is commonly used by advanced malware for own (encrypted) file systems.  

C.R.S.
Senior Member
 
 
  

Re: Volume slack vs file system slack; confusing definition

Post Posted: Fri Jul 13, 2012 2:47 am

- C.R.S.

Someone should rather have an eye on the space between partitions, which is commonly used by advanced malware for own (encrypted) file systems.

Yep Smile , that is a "third type" of slack, gaps between a partition or volume and the one following it.
I would call it "disk slack".
A particular case of it is (was) typical on devices partitioned with the "old" standard of "aligned cylinder", you always had some space, smaller that 1x255x63x512=8,225,280 bytes (on a 255/63 geometry device) at the END of the disk, i.e the disk space is not fully indexed in the partition tables of the MBR and of the various EPBR's.

Also very easy to reproduce experimentally.
Create one partition (or volume inside Extended).
Create a (very small) second partition (or volume inside Extended).
Create a third partition (or volume inside Extended).
Delete the second partition.
You have effectively created a little "no man's land" on the disk that you can read/write allright with direct access disk tools, such as a disk editor, dd and similar, etc.

In the previous building example that would correspond to a "hidden level" that the builder has made (of course with no windows on the outside) between (say) 3rd and 4th floor, that you can access through an undocumented stop of the elevator Wink .

To sum up:
  1. "filesystem slack"<- unindexed space within the filesystem
  2. "volume or partition slack" <- unindexed space outside the filesystem but inside the partition/volume
  3. "disk slack" <- unindexed space outside the partition volume but (obvioulsy) inside the disk

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Volume slack vs file system slack; confusing definition

Post Posted: Fri Jul 13, 2012 9:38 am

And

0. file slack between file size and allocated cluster size.

- jaclaz

  1. "filesystem slack"<- unindexed space within the filesystem
  2. "volume or partition slack" <- unindexed space outside the filesystem but inside the partition/volume
  3. "disk slack" <- unindexed space outside the partition volume but (obvioulsy) inside the disk
 

C.R.S.
Senior Member
 
 
  

Re: Volume slack vs file system slack; confusing definition

Post Posted: Fri Jul 13, 2012 10:30 am

- C.R.S.
And

0. file slack between file size and allocated cluster size.

- jaclaz

  1. "filesystem slack"<- unindexed space within the filesystem
  2. "volume or partition slack" <- unindexed space outside the filesystem but inside the partition/volume
  3. "disk slack" <- unindexed space outside the partition volume but (obvioulsy) inside the disk

If we're increasing the number of slack definitions, you need to add RAM slack, which is the space between the end of file and the end of the sector. Some lazy systems write RAM content in there, hence RAM slack.
_________________
Tony Patrick, B. Inf Tech, CFCE
www.patrickcomputerfor...s.com/blog
www.twitter.com/Patrick4n6 

Patrick4n6
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 7
Go to page 1, 2, 3, 4, 5, 6, 7  Next