±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 34614
New Yesterday: 0 Visitors: 203

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Volume slack vs file system slack; confusing definition

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2, 3, 4, 5, 6, 7  Next 
  

Re: Volume slack vs file system slack; confusing definition

Post Posted: Sat Jul 14, 2012 10:33 pm

- athulin
It's not at clear what purpose the definition of 'sector file slack' serves -- unused space is unused space, no matter where it appears. And 'sector file slack' is an 'interesting' definition only for file system implementations where that particular space may contain interesting data.


It's not "sector file slack", it's RAM slack, and the importance is knowing how the data past EOF got there. For most file slack, it's remnants from the last file in that cluster. For RAM slack, it's potentially data from RAM and has no relevance to the last file that resided on the disk. We are not just in the business of WHAT, but also of WHY and HOW (plus WHERE, WHEN and WHO). A large part of this industry is also about knowing the exceptions to the rules as they sometimes make or break.
_________________
Tony Patrick, B. Inf Tech, CFCE
www.patrickcomputerfor...s.com/blog
www.twitter.com/Patrick4n6 

Patrick4n6
Senior Member
 
 
  

Re: Volume slack vs file system slack; confusing definition

Post Posted: Sun Jul 15, 2012 4:59 am

- Patrick4n6
A large part of this industry is also about knowing the exceptions to the rules as they sometimes make or break.


Unfortunately, that is true. The reason for that is, as far as I can find, poor rules, bad definitions, and retaining outdated concepts for too long -- that's when knowing exceptions becomes a 'large part'. With more considered definitions, it can be made smaller. Which I believe would desirable, as otherwise knowing all these exceptions will become an area of specialization.

So it becomes important to get definitions and terminology as straight and unambiguous as possible, and ensure that any rules are created with a view of their intended purpose.

To my mind, RAM slack does not belong in this list. It's not defined by an on-disk file system structure, but by the source of the content of such a structure. If the contents comes from RAM, it's 'RAM slack', if it doesn't, the term is best not used, as it is liable to be misunderstood.

In that context, and given that RAM slack still is a concept that needs to be understood, I would accept 'sector file slack' as the on-disk structure on which the idea of 'RAM slack' can be built, provided that considerable emphasis was placed on the fact that it is not something that is particularly common today, and that you would have go back to ... Win9x? early NT? ... to find it, at least in the Windows world.

The presence of 'sector file slack' areas with a content that is not zeroed bytes would therefore be an anomaly, which just might be worth investigating. But that's the next step: when the 'slack' structures are defined, their contents and the source of it can be discussed.  

athulin
Senior Member
 
 
  

Re: Volume slack vs file system slack; confusing definition

Post Posted: Sun Jul 15, 2012 10:36 am

- athulin

Sparse files in Windows are created only by DeviceIoControl() calls. But this thing is done by SetValidData(), which would be called (roughly) as:

Call me tough as much as you want, but I completely fail to understand.
In which practical instance such "semi-sparse" file is created?
Through which command? (or procedure)
Or someone needs a "special program" to invoke the SetValidData() function?

@Patrick4n6
About "sector file slack", that is the name of an unindexed area, defined tentatively as:
"sector file slack" <- unindexed space between file size and next sector border (Maxsize=SectorSize-1, i.e. on a 512 byte/sector device at the most 511 bytes)

wheteher this area contains (on "lazy" systems, whatever they are) part of the contents of the RAM is another thing.
RAM slack may be the name of the contents of the area, not of the area itself.

You normally say a beer bottle, but it is a glass bottle containing beer, as soon as you drink the contents Wink and re-fill it with water, it will become a bottle of water, but the bottle itself has not changed name and it is still a glass bottle.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Volume slack vs file system slack; confusing definition

Post Posted: Sun Jul 15, 2012 2:32 pm

- jaclaz
In which practical instance such "semi-sparse" file is created?


They're created when a program calls SetValidData() for an opened file. Exchange creates them for some files, and I'm fairly certain the old event log files (.evt) also could be of this type.  

athulin
Senior Member
 
 
  

Re: Volume slack vs file system slack; confusing definition

Post Posted: Sun Jul 15, 2012 5:47 pm

- athulin

Exchange creates them for some files, and I'm fairly certain the old event log files (.evt) also could be of this type.


I have found this:
Feature is seemingly called "File Initialization"
blog.cmdlabs.com/2010/...-analysts/
fsutil can use setvaliddata allright Exclamation

Would this be "file initialization slack" or "file allocation slack" (to be coherent with "file sector slack" and "file cluster slack" ) ? Question

Uninitialized space is similar in concept to file slack except that it is contained within the logical file size. Unlike file slack which is no longer associated with a file, data in uninitialized space is in a kind of limbo, trapped at the end of an allocated file but not actually part of that file.


jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Volume slack vs file system slack; confusing definition

Post Posted: Mon Jul 16, 2012 8:04 am

- jaclaz
I have found this:
Feature is seemingly called "File Initialization"
blog.cmdlabs.com/2010/...-analysts/


That may be what that writer calls it, but I find it misleading as the whole thing is about *avoiding* having to do any sector/cluster initialization until it is absolutely necessary.


Would this be "file initialization slack" or "file allocation slack" (to be coherent with "file sector slack" and "file cluster slack" ) ?


I would prefer to keep to Microsoft's terminology, and use something about 'valid data' -- 'file valid data slack' seems better, though it's a bit of a mouthful. Anyway, using those words makes it possible to search in the MSDN or Microsoft TechNet documentation, and actually get relevant hits fairly high up in the search hit list. It's still a bit confusing so I would wish for a better term. Though with an appropriate definition of 'file slack' that confusion may be minimized. It should be strongly connected to NTFS as well: at least until it has been observed in other file systems.

The thing to recognize however, is that it's not something new: it's still 'file slack'. The only difference is that it isn't the file length (end of file offset) that decides where it starts, but the 'file valid data length' offset.

Uninitialized space is similar in concept to file slack except that it is contained within the logical file size. Unlike file slack which is no longer associated with a file, data in uninitialized space is in a kind of limbo, trapped at the end of an allocated file but not actually part of that file.


That seems confusing.

File slack, while not part of a file, is still associated with a file, as all file slack is part of the file extent: the actual clusters used for the file data. (That 'no longer associated with a file' doesn't match anything very well that I can think of.)

This 'file valid data slack' is not different in any way: it's not part of the file, and it's still part of the extent of the file.

(I'm trying to avoid the terms 'physical file size' and 'logical file size', as those are fairly specific to Windows. The abstract concept of a file has only one: the file size.

And perhaps I need to say that I personally define slack as the difference between the extent of the file and the contents of the file. If it's part of the file extent, but not part of the file, it's slack, no matter where it appears.)  

athulin
Senior Member
 
 
  

Re: Volume slack vs file system slack; confusing definition

Post Posted: Mon Jul 16, 2012 4:25 pm

Yep, but we are trying to agree on a set of "definitions", what about:
  1. "file slack" <- unindexed space between file size and allocated space, three types:
    1. "sector file slack" <- unindexed space between file size and next sector border (Maxsize=SectorSize-1, i.e. on a 512 byte/sector device at the most 511 bytes)
    2. "cluster file slack" <- unindexed space between file size and next cluster border
      (Maxsize=ClusterSize-1, i.e. on a typical 4096 byte/cluster filesystem at the most 4095 bytes)
      "cluster file slack" is comprehensive of "sector file slack" .
    3. "valid data file slack" <- unindexed space between actual file size and declared file size (only on NTFS filesystems where the SetFileValidData() function or "fsutil file setvaliddata" has been used to allocate to the file a size exceeding the size of it's contents)
  2. "filesystem slack"<- unindexed space within the filesystem
  3. "volume or partition slack" <- unindexed space outside the filesystem but inside the partition/volume
  4. "disk slack" <- unindexed space outside the partition volume but (obviously) inside the disk

Question

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 


Last edited by jaclaz on Wed Jul 18, 2012 1:00 pm; edited 1 time in total

jaclaz
Senior Member
 
 

Page 3 of 7
Go to page Previous  1, 2, 3, 4, 5, 6, 7  Next