±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 34825
New Yesterday: 1 Visitors: 107

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Volume slack vs file system slack; confusing definition

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2, 3, 4, 5, 6, 7  Next 
  

Re: Volume slack vs file system slack; confusing definition

Post Posted: Wed Jul 18, 2012 6:21 am

I think there is a mixup of the winapi SetFileValidData and the fsutil switch SetValidData.
_________________
Joakim Schicht

github.com/jschicht 

joakims
Senior Member
 
 
  

Re: Volume slack vs file system slack; confusing definition

Post Posted: Wed Jul 18, 2012 8:25 am

- athulin

My own attempt at a definition:

valid data file slack -- file slack created by NTFS when a file is extended by a number of zero bytes through the use of the system call SetValidData(). While a suitable number of clusters are allocated and added to the file to support the extra bytes, the previous cluster contents is not wiped. Instead NTFS uses special code to ensures that any attempt to read from the additional bytes result in a suitable number of programmatically zeroed bytes, instead of actual cluster content. Not until the program writes to one (or more) of these clusters will they be initialized and from there on be treated as 'normal' clusters.

With all due respect, that is not a definiton, it is a short article illustrating the feature. Wink

- athulin

But I expect that's just as difficult to understand. Trying to get it into a single sentence is probably doomed to failure.

Yes, it is, but at the moment we are still into the "list" and "definitions", we can add to each "short", "synthetic" (and possibly clear enough) "definition" a "corollary" of *any* length to explain and expand on the definition.
- athulin

By the way, what is 'unindexed space'?

To me "unindexed space" is some space that is "not indexed" Smile in the sense that is something that you cannot access through the normal commands.
A "sparse" file does not (in my view) fall in this category as it is "indexed" allright (like with DIR) and accessible allright (if you prefer it never can contain "residual data").
The fsutil setvaliddata one on the contrary "indexes" more space then you can see by (as an example for a plain .txt file) with a TYPE command.
The other "slack types" all can contain at least a bunch of bytes that are not viewable if not with direct disk access.

On the other hand, IF it was easy we would already have a valid set of definitions and we wouldn't try to create one and discuss on it.....

@joakims:
I think there is a mixup of the winapi SetFileValidData and the fsutil switch SetValidData.

Very possibly Confused , athulin introduced the SetFileValidData() function, I found the linked to article that uses the fsutil setvaliddata and I assumed that fsutil used the SetFileValidData() function (this would be "logical", but you never know with the good MS guys).
If you prefer, athulin introduced a concept and I found a practical way to try replicating it/an existing command line that creted that effect, since I have no way of "calling" the SetFileValidData() function, I cannot try comparing the two, care to disambiguate the issue?

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 


Last edited by jaclaz on Wed Jul 18, 2012 12:59 pm; edited 2 times in total

jaclaz
Senior Member
 
 
  

Re: Volume slack vs file system slack; confusing definition

Post Posted: Wed Jul 18, 2012 9:40 am

- joakims
I think there is a mixup of the winapi SetFileValidData and the fsutil switch SetValidData.


Quite right -- sorry about that. The API call is SetFileValidData(). Nothing else changes.  

athulin
Senior Member
 
 
  

Re: Volume slack vs file system slack; confusing definition

Post Posted: Wed Jul 18, 2012 1:03 pm

- athulin
- joakims
I think there is a mixup of the winapi SetFileValidData and the fsutil switch SetValidData.


Quite right -- sorry about that. The API call is SetFileValidData(). Nothing else changes.

I see now :).
I corrected my previous posts, please everyone check theirs.
The Windows API function is
SetFileValidData()

the fsutil parameter is
setvaliddata


example:
fsutil file setvaliddata <filename> <size>

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Volume slack vs file system slack; confusing definition

Post Posted: Wed Jul 18, 2012 6:10 pm

Slack space is the space in the air conditioned lab room where the lazy staff sits surfing the net, instead of doing the imaging...  

jhup
Senior Member
 
 
  

Re: Volume slack vs file system slack; confusing definition

Post Posted: Wed Jul 18, 2012 6:24 pm

- athulin
- jhup
File slack is created by many other file systems, not just NTFS.


At present, the only known source of this particular type of slack is NTFS. Strictly speaking, it has only been verified for Windows; status on non-Microsoft implementations of NTFS is still unknown.

Hmmm... What do you call that extra space between the end of the file, and the end of the cluster (or named disk segmentation) in ext2, HFS Plus, ZFS, FAT, or even BDOS of CP/M?
- athulin
- jhup
What is "SetValidData()"?


A Microsoft Windows system call -- though 'system call' should not necessary be interpreted to mean 'kernel call' or 'BIOS call'. It's implemented by 'kernel32.dll' -- that's why I call it a system call. You find the details in the usual MS places -- try googling for 'MSDN SetValidData' for one possibility.

I know that EnCase 6 supports this kind of file system structure, though it's not classed as file slack. I'm less sure what EnCase 7 does, though it probably does the same, and I have no idea how other forensic suites or toolkits deal with it.

- jhup
My point - i think you overcomplicated it.


It may not be a type of file slack that is the most important thing to get right in a list of definitions of slack in general, true. But it does belong on a list of types of file slack.

The SetValidData was a rhetorical question - and after my post the confusion is further demonstrated.

I think it is important to clarify if we are discussing uniquely Microsoft world or the whole world of slack space. Maybe that is why I think sparse files muddle the definition.
Mr. Green  

jhup
Senior Member
 
 
  

Re: Volume slack vs file system slack; confusing definition

Post Posted: Wed Jul 18, 2012 6:36 pm

- jhup
Hmmm... What do you call that extra space between the end of the file, and the end of the cluster (or named disk segmentation) in ext2, HFS Plus, ZFS, FAT, or even BDOS of CP/M?


In general, file slack. I call any space 'file slack' that occurs within the extent of a file, and that is not part of the content of a file.  

athulin
Senior Member
 
 

Page 5 of 7
Go to page Previous  1, 2, 3, 4, 5, 6, 7  Next