I understand what is file slack, and its potential use in digital forensics.
I also know that Windows OSs fill zeros to the file slack, so anything nonzero may be suspicious in Windows.
What I don't understand is why some other OS (Linux?) would dump random memory into file slack? It is said that file slack is created at the time a file is saved to disk, and postentially important data may be saved int the file slack, including URLs, passwords, web history, … , but why would any OS do that? Is there any practical value by doint it?
Are you aware that RAM slack is slightly different to file slack? RAM slack fills up the gap between the end of a file and its sector whereas the file slack is the remaining space to fill the cluster and is therefore whatever was left there from the previous file(s) that resided there (no overwriting in Windows).
The reason why RAM slack is called that is because, in Windows at least, the stuff that was used to fill the gap in the sector actually came from RAM. Since RAM can contain all sorts of juicy information, passwords and things, Microsoft changed it (after win98?) so that it fills it with zeros instead as most modern OS's do, but the name stuck.
Just google "ram slack" for other definitions but note that many will still say that RAM slack contains data from RAM when most often these days it's zeros.
I believe "non-zeroed" ram slack appeared in Windows versions 95A and below. Windows 95b and above writes x00's to fill the ram slack.
Some other literature refers to file slack as both RAM slack and drive slack. In that, your definition of file slack is same as drive slack.
Your explanation on RAM slack makes sense.
How about Linux? Does it have the same problem of RAM slack as in earlier Windows? If not, I guess RAM slack is not much of problem these days since none (or very little) would use Win95 or even Win98.
Thanks.
I believe "non-zeroed" ram slack appeared in Windows versions 95A and below. Windows 95b and above writes x00's to fill the ram slack.
Thanks for the clarification. I couldn't find any reference as to when it changed, even on the microsoft site. The site Brian Carrier (File System Forensic Analysis, a must have book) refers to when defining RAM slack is at http//
As for the OS's using RAM, I don't know of any lists but you could always conduct a few tests. That's the fun part )
I believe "non-zeroed" ram slack appeared in Windows versions 95A and below. Windows 95b and above writes x00's to fill the ram slack.
Where did you learn this, if on your own; alright but if you have a reference.. can you list it so I could look into this more. thanks
I found it mentioned in Steve Bunting's EnCE Study Guide (2nd Edition), page 65 soon after my last post.