Slack space refers to the hard disk space between the end of a stored file to the end of the cluster it is kept in. Note that hard disks typically keep files in clusters with a specific file size. If your computer, for instance, stores files in clusters of 4KB each, then a file that is 3KB in size will be stored in one cluster with 1KB of slack space left.
Think of it this way, a guest house with four bedrooms (HDD) that can accommodate four people per room (capacity per cluster) can house a family with eight members (file size) in two rooms with two rooms left for other guests (slack space).
Other interesting terms…
Read More about “Slack Space”
Slack space is also called “file slack.” It occurs because it is unusual for files to be the same size as a cluster. While you may think slack spaces have no use, you are sorely mistaken. Examining file slack is critical when performing forensic investigations on computers.
Before moving on to learning more about slack space in computer forensics, though, let’s tackle the basics first.
What Terms Are Related to Slack Space?
You need to understand a couple of terms to grasp the concept of file slack fully. Here are three of them.
A hard disk, also known as “hard disk drive (HDD)” or “hard drive,” is a flat circular plate made of aluminum or glass coated with magnetic material. They store information on computers. Today, many desktops and laptops use solid-state drives (SSDs) instead of hard disks.
A cluster in a hard disk refers to a group of sectors within it where files are organized. Note that most files fill several clusters in a disk. The hard drive can find clusters because each has its own ID.
Computer forensics is a technological field that uses investigative techniques to identify and store evidence obtained from a device. It is often used to uncover evidence usable in a court of law. Sometimes, forensics investigators can be asked to recover lost data from drives that have failed, servers that have crashed, or operating systems (OSs) that have been reformatted.
What Can Slack Space Tell You in Computer Forensics?
Scrutinizing file slack can lead to discovering residual data in computer forensics. Residual data is what’s left of a deleted file when the one that took its place in a computer’s memory is smaller than it is. This data can reveal something important about the file deleted, like who created it.
The Federal Bureau of Investigation (FBI) examined the slack space on Hillary Clinton’s computer to investigate her case. With it, the agency proved that Clinton did violate the law to use her personal email account for Secretary of State business.
How Does Slack Space Work?
The following video shows what file slack is through examples featuring Angelina Jolie, Kate Beckinsale, and Gordon Ramsay. The video showed that the slack space in the three celebrities’ computers showed traces of deleted pictures that they all denied existed.
This diagram, meanwhile, shows how forensics investigators use file slack to get clues.
Slack Space and Free Space, What’s the Difference?
Free space is hard drive space that has never been used, often found on a new computer. Slack space, meanwhile, isn’t necessarily unused, as we’ve established that residual data from a file that was stored on and deleted after from a device can get left behind in it.
Another difference is that free space doesn’t differentiate between clusters, unlike slack space. All free space is not necessarily slack space, but all slack space is free space.
What Other Cases Slack Space Scrutiny Helped With?
Apart from the Clinton case, file slack investigation also led to the capture of the Melissa virus creator David L. Smith by the FBI on 1 April 1991. Investigators found traces of the virus’s code in Smith’s slack space.
Examining slack space on the computers of cybercrime suspects is one of the first things that digital forensics experts do. It is stated as one of the basic steps by many cyber forensics guides, including that published by the INTERPOL.
Slack space, as this post showed, is critical when users look for clues during cybercrime investigations. It should also serve as a reminder to all computer users that files are truly never deleted. They leave breadcrumbs hidden in seemingly unused spaces within hard drives.