slack space (file slack space)

What is slack space (file slack space)?

Slack space, or file slack space, is the leftover storage space on a computer's hard disk drive when a file does not need all the space it has been allocated by the operating system (OS). More specifically, it refers to all the unused storage space in a hard drive's file allocation block or memory page, and often holds residual data. The examination of slack space is an important aspect of e-discovery and computer forensics.

Another way to define slack space is the leftover space between the end of a file and the end of the hard drive cluster it is stored in. It is also known as file slack because it is the leftover or excess space on a drive where a file would otherwise be stored.

Slack space is common in hard drives because files are usually not the same size as a cluster. Each cluster has a storage threshold, but files have various sizes. As a result, files fill only part of the cluster and, consequently, part of the hard drive.

Slack space vs. free space

The terms slack space and free space -- or unallocated clusters -- are not interchangeable. Free space on a hard drive is simply space that has never been used or allocated to a file. In contrast, slack space usually contains residual data from a deleted file and is not necessarily unused.

Another difference is that slack space cannot hold the complete contents of a deleted file, whereas free space can. Free space can also retain the file's binary header signature, which helps identify the file type. These signatures are overwritten in the slack space.

Also, the size of the data recovered from a stored file's slack space is limited to one cluster minus one byte. In contrast, the data recovered from free space can span thousands of clusters and be quite large.

Logical and physical size of a file

A file on a hard disk can have a logical size that differs from its physical size. The logical size is determined by its actual size and is measured in bytes, whereas its physical size is determined by the number of sectors that are allocated to it on the disk. The slack space is the difference between the logical and physical size.

In most OSes, including Microsoft Windows, sectors -- logically defined spaces that usually hold up to 512 bytes of data each -- are clustered in groups of four by default, which means that each cluster has 2,048 bytes. If a file with a logical size of 1,280 bytes is allocated a cluster of four 512-byte sectors, its physical size is 2,048 bytes. The difference between 2,048 and 1,280 is 768 bytes, which indicates the file's slack space.

The importance of slack space

Slack space demonstrates that it is difficult to permanently erase computer files. Deleted files are simply moved to a different location, allowing users to recover them in most cases. This is good news for users who mistakenly delete important files.

However, a drawback is that slack space can also be used by malicious or threat actors to recover a user's login credentials, passwords, deleted files, messages, etc. Information obtained in this kind of data breach might be used to perpetrate criminal action such as fraud or identity theft.

The role of slack space in computer forensics

Slack space plays an important role in e-discovery, which is the process of finding digital information for legal, compliance or internal investigation purposes. The discovery of this information is important in computer forensics.

In a new hard drive, the space in a sector that is not used -- the slack space -- is blank. Here, as mentioned previously, a sector refers to a logically defined space that usually holds up to 512 bytes of data. As the computer is used, the slack space will contain some leftover data. When a file is deleted, say, by a suspect under investigation, the OS doesn't erase the file. Instead, it makes the sector that the file had occupied available for reallocation. The file itself leaves some breadcrumbs that might be hidden but are discoverable in some unused space on the hard disk.

So, say a suspect deletes a 200-byte file. Should a new file that is, as an example, also 200 bytes be allocated to the original sector, the sector's slack space will now contain 200 bytes of data from the deleted file in addition to 112 bytes of the original extra space. The leftover data, which is called latent data, residual data or ambient data, can provide investigators with clues as to prior uses and users of the computer. It can also reveal who created and deleted the file, as well as provide new leads for inquiries about the computer and its users.

Learn about five key areas to look at regarding storage performance metrics and see how to effectively compare storage system performance.