The Importance of File Slack to Digital Forensics and EDiscovery

What is File Slack? And how does it relate to Computer Forensics?

If you have a basic understanding of computers then you know that files take up space on your hard drive. You may also understand that some files are larger than others and that they can range from only a few bytes to many gigabytes. What you may not know is that files actually have two file sizes: A logical size and a physical size. The reason for the two sizes lies in the way that the file system stores files on your hard drive. Without getting into too much detail on how file systems work, the answer to this mystery lies in the understanding of File Slack, which is broken into 2 parts: Drive Slack and RAM Slack. Knowledge of File Slack is not required for everyday computing but it does play a very important role when it comes to Digital Forensics and eDiscovery.

You may have heard the terms Sector and Cluster when referring to hard drives. At a very basic level, the Sector makes up the smallest area on a piece of media, or hard drive, that can be written to. These Sectors are then grouped into Clusters that make up the allocation units on the drive. On Windows systems, the Sector is a fixed size of 512 bytes whereas the Cluster size is determined by the size of the disk itself. So smaller disks will have small Clusters sizes and vice versa. When a file is created, the file system allocates the first available Clusters depending on the logical size of the data being stored. Obviously, every file stored on a drive cannot possibly be the exact size of one or multiple Clusters so there will be space left over in the last cluster. This is File Slack.

RAM Slack refers to the remaining space in the last Sector of a file. Remember, Clusters are the allocation units but the file system still writes in 512 byte chunks. Very rarely will a file be an exact multiple of 512. So, once the file system finishes writing to the last Sector of a file, there will be space at the end of that Sector. Prior to Windows 95 version B, RAM Slack was filled with random data from RAM, hence RAM Slack. This was a huge security hole because data in RAM could contain passwords and other sensitive data. Since then, Windows file systems write the hex key x00 to the remaining space in the last sector of a file.

Drive Slack refers to the remaining un-written-to sectors in the last cluster of a file. The file system does not fill this space like it does with RAM Slack. The file system actually does nothing with this space. Whatever data that was contained in those sectors prior to the file being written still remains there, even remnants of deleted files.

You can see how important File Slack is to Digital Forensics and E-Discovery. With the correct set of tools and an experienced forensic examiner, like myself, data stored in File Slack and Unallocated Space can be recovered.

Importance of Computer Forensics

Computer forensics is the process of using the latest knowledge of science and technology with computer sciences to collect, analyze and present proofs to the criminal or civil courts. Network administrator and security staff administer and manage networks and information systems should have complete knowledge of computer forensics. The meaning of the word “forensics” is “to bring to the court”. Forensics is the process which deals in finding evidence and recovering the data. The evidence includes many forms such as finger prints, DNA test or complete files on computer hard drives etc. The consistency and standardization of computer forensics across courts is not recognized strongly because it is new discipline.

It is necessary for network administrator and security staff of networked organizations to practice computer forensics and should have knowledge of laws because rate of cyber crimes is increasing greatly. It is very interesting for mangers and personnel who want to know how computer forensics can become a strategic element of their organization security. Personnel, security staff and network administrator should know all the issues related to computer forensics. Computer experts use advanced tools and techniques to recover deleted, damaged or corrupt data and evidence against attacks and intrusions. These evidences are collected to follow cases in criminal and civil courts against those culprits who committed computer crimes.

The survivability and integrity of network infrastructure of any organization depends on the application of computer forensics. In the current situations computer forensics should be taken as the basic element of computer and network security. It would be a great advantage for your company if you know all the technical and legal aspects of computer forensics. If your network is attacked and intruder is caught then good knowledge about computer forensics will help to provide evidence and prosecute the case in the court.

There are many risks if you practice computer forensics badly. If you don’t take it in account then vital evidence might be destroyed. New laws are being developed to protect customers’ data; but if certain kind of data is not properly protected then many liabilities can be assigned to the organization. New rules can bring organizations in criminal or civil courts if the organizations fail to protect customer data. Organization money can also be saved by applying computer forensics. Some mangers and personnel spent a large portion of their IT budget for network and computer security. It is reported by International Data Corporation (IDC) that software for vulnerability assessment and intrusion detection will approach $1.45 billion in 2006.

As organizations are increasing in number and the risk of hackers and contractors is also increase so they have developed their own security systems. Organizations have developed security devices for their network like intrusions detection systems (IDS), proxies, firewalls which report on the security status of network of an organization. So technically the major goal of computer forensics is to recognize, gather, protect and examine data in such a way that protects the integrity of the collected evidence to use it efficiently and effectively in a case. Investigation of computer forensics has some typical aspects. In first area computer experts who investigate computers should know the type of evidence they are looking for to make their search effective. Computer crimes are wide in range such as child pornography, theft of personal data and destruction of data or computer.

Second, computer experts or investigators should use suitable tools. The investigators should have good knowledge of software, latest techniques and methods to recover the deleted, encrypted or damaged files and prevent further damage in the process of recovery. In computer forensics two kinds of data are collected. Persistent data is stored on local disk drives or on other media and is protected when the computer is powered off or turned off. Volatile data is stored in random access memory and is lost when the computer is turned off or loses power. Volatile data is located in caches, random access memory (RAM) and registers. Computer expert or investigator should know trusted ways to capture volatile data. Security staff and network administrators should have knowledge about network and computer administration task effects on computer forensics process and the ability to recover data lost in a security incident.