Forums
Main Category
General (Technical,...
File Slack in Windo...
 
Notifications
Clear all

File Slack in Windows 10

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by jaclaz 8 years ago
4 Posts
4 Users
0 Reactions
3,530 Views
RSS
Beleka
 Beleka
(@beleka)
Eminent Member
Joined: 8 years ago
Posts: 29
Topic starter 10/01/2018 1:46 pm   [#16217]

Hello, i'm improving my forensic knowledge working on slack space carving. I readed a lot about it and sometimes i found two different slack spaces, the RAM Slack is applied in the last sector of the last cluster when a file doesn't fill the whole last cluster. Theoretically that RAM slack fill this last sector with random RAM information, is that real? i think that is an unnecesary security risk and i want to know if it still survives in Windows 10.

The other slack type, the drive slack appears in the others sectors of the last cluster, when there is still some free space, and let you recover information from the previous file allocated in that cluster. Is this one available in Windows 10?

Thank you for your time )



   
Quote
AmNe5iA
 AmNe5iA
(@amne5ia)
Estimable Member
Joined: 10 years ago
Posts: 175
10/01/2018 3:48 pm  

RAM slack flaw was fixed decades ago. RAM slack now consists of 0x00s.

Don't forget

Volume Slack which is the space between the end of the filesystem and the end of the partition.



   
ReplyQuote
 Anonymous 6593
(@Anonymous 6593)
Joined: 18 years ago
Posts: 1158
10/01/2018 4:24 pm  

Theoretically that RAM slack fill this last sector with random RAM information, is that real?

If I recall that was last heard of in Windows95, or possibly 2000. But things come around, so it isn't impossible that it is present until someone actually investigates the question, and publishes the results, we don't really know. I don't know that it has been so investigated.

You should have no problem in investigating the problem on your own by examining or creating situations where a file system uses multi-sector (more than 2) allocation units, where a file ends with, say, the last byte, in the first of such an allocation unit, and so have both have sector slack (from end of file to sector boundary), and cluster slack (from end of file to end of allocation unit) to investigate is there anything but zero bytes in those areas, and if there is, where does it come from?

Don't forget to check what happens when you create a 'full' file (i.e. one that occupies full allocation units, leaving no slack), and then resizes it to be shorter what happens with old content? Is it erased, or does it remain?



   
ReplyQuote
jaclaz
 jaclaz
(@jaclaz)
Illustrious Member
Joined: 19 years ago
Posts: 5133
10/01/2018 6:05 pm  

There is a (still "unfinalized") thread where disk/volume/filesystem slacks have been "tentatively" described, JFYI, see
https://www.forensicfocus.com/Forums/viewtopic/p=6588016/#6588016
https://www.forensicfocus.com/Forums/viewtopic/t=9374/postdays=0/postorder=asc/start=42/

jaclaz



   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: