Slack Space

What is Slack Space?

Slack space, also referred to as file slack on a hard disk drive, denotes the storage space leftover when the computer does not need to use as much space as is allotted to store it.

Technically, this is the space existing between the end of a file stored on the hard drive and the end of that particular file cluster, or allocation block, or memory page, which may contain residual data from an earlier file.

Understanding Slack Space

Understanding Slack Space

Typically, in most operating systems, including Windows, the sectors are grouped into a set of four by default. This means that every cluster measures 2048 bytes.

Files on a hard drive are stored in clusters that are allotted by the computer, but the files may not always use up the entire space of the cluster assigned.

Therefore, the space remaining from the end of the file to the end of the cluster stays unused and is called a slack space.

File slack is created naturally due to the functionality of the computer system and unintentional semi-flaws.

It is actually the difference between the logical and physical sizes of a file saved on a hard drive, which are determined as follows:

The slack space may not always be empty. For example, in a cluster, if a new file that is smaller than the earlier one is stored, the remaining part of the previous may still be there.

And, there may be some important data stored in there that may help the forensic investigation team. They can extract this data by using specialized forensic tools.

File slack, or slack space is simply a reminder that nothing is deleted from the hard drive of a computer permanently.

Forensic experts can extract and evaluate sensitive data even from the slack spaces that have been created after deleting a file from a specific cluster.

Read Also:  8 Ways to Move a PC Game to Another Hard Drive

Therefore, it is important to determine which information and data are sensitive enough to keep off digital media. It can be anything basic or ‘more than the basics’ things, such as:

However, you should not be scared about it. Looking at it from another point of view, it should relieve you a bit, knowing the fact that the slack spaces indicate that everything in your computer is not lost truly or forever. Sometimes, the data can be recovered.

What Causes Slack Space?

Ideally, a slack space is the result of a practice where a part of the cluster or the space allocated for saving data and information is not used. Ideally, it occurs naturally because the fixed storage allocations can be barely filled up by the data files.

Residual data may sometimes create slack spaces as well when smaller files are written on the same cluster as the earlier larger file.

This leaves a space on the drive and it remains unused. This happens because there is a particular storage threshold for each cluster on a hard disk drive.

And since the files are of random sizes, only a part of the hard drive space is consumed by them, creating slack space.

It ideally happens due to the following reasons:

Therefore, saving a smaller file in a larger space allocated by the computer creates slack space on the hard disk drive.

What is Slack Space Size?

Simply put, the size of the slack space is not fixed. It may vary depending on two specific factors such as the size of the file to be stored and the amount of space allocated by the computer to save that specific file.

Also, when the hard disk drive of the computer is brand new, the slack space is empty, but it gets reduced when the computer is used.

To have a better understanding regarding the size of a slack space, you will first need to know a few other important things as well, apart from the basic meaning of slack space. These are:

This means that the hard disk drives do not understand clusters and the operating systems do not understand sectors. However, both these terms are required to calculate slack space size.

Here are a couple of examples to determine the slack space size.

Example 1

Assume the following:

Read Also:  What is Bus Mastering? (Explained)

Under these circumstances, the smallest amount read or written by the operating system should be 8 sectors or 4096 bytes.

Now, to find the slack space, follow these steps:

Example 2

Assume the following:

In this case, the smallest amount of space read or written by the operating system will be 16 sectors or 8192 bytes.

Following the same process as above, here is the work through:

Since this is not a round figure, you will need to round it off as well because, as said earlier, the operating system cannot read anything less than a whole number of clusters.

If less than a whole cluster is allotted, the file will not be saved. Therefore, you will need 8 clusters.

Now, the allotment size of clusters required in bytes is equal to 65536 bytes (8 x 8192 = 65536).

Subtract the now smaller file size from the larger cluster allotment size to have the slack space on your hard drive, (65536 – 61440 = 4096 bytes or 4 sectors).

So, as you can see, the size of slack space can vary.

How is Data Hidden in Slack Space?

To hide data in the slack space the physical properties of the entire system and the formatted storage medium as well as the storage capacity are used by the slack space data hiding technology, along with HPA and DCO areas.

Host Protection Area (HPA)

Host Protection Area technology was introduced after the Advanced Technology Attachment 5 (ATA-5) protocol was established. ATA commands are used to protect such areas and store configuration and data files.

These are extremely protected and the data cannot be read by even the operating system or the Basic Input Output System (BIOS)

Device Configuration Overlay (DCO)

Device configuration overlay is a hidden area on the hard disk drive that was introduced for the first time in the ATA-6 standard. It is much stronger than HPA when it comes to hiding data.

The best aspect of it is that it allows the vendors of the systems to buy HDDs of different sizes from different vendors and, later on, configure them so that they have the equal number of sectors.

Read Also:  How to Format External Hard Drive in Windows & Mac?

What is a Slack Space Example?

If a file system can store data on a hard disk drive in clusters of 4 KB, but the computer saves a smaller file using only 2 KB of the cluster, your disk drive will have 2 KB of slack space.

Also, for example, if a cluster of 30 KB is allocated by the computer to save a file, but the operating system stores a file that is ideally 25 KB in size, it will leave 5 KB of space unused.

In this slack space, data from the earlier file may still exist since it could not be overwritten by the current smaller file and will stay there as long as this new file is stored there.

This leftover data, often referred to as ambient data or latent data, provides important clues to the forensic investigators as they probe into the prior questionable use of the computer system in question. This may lead to further examinations.

Slack Space Vs Unallocated Space

Is There Slack Space in SSD?

Yes, there are slack spaces on an SSD, but instead of these being a part of cluster and file size alignment, the slack space in an SSD relates to the varied sizes of minimum erasable and writeable blocks on a physical level.

However, the SSD erases the slack space as soon as it has additional I/O capacity.

Conclusion

So, now after you have finished reading this article, you know that when you delete a file from your hard drive, it is not deleted.

You can say it is removed allowing you to have unused space where you can store new files.

If the size of this file is smaller than the previous one, it will create slack space on that cluster.