Slack space is an important form of evidence in the field of forensic investigation. Often, slack space can contain relevant information about a suspect that a prosecutor can use in a trial. To understand why slack space plays an important role in digital forensics, one must first understand how data is stored on computers' hard disk drives.
A hard disk drive (HDD) is a data storage device used for storing and retrieving digital information using one or more rigid ("hard") rapidly rotating disks (platters) coated with magnetic material. The platters are paired with magnetic heads arranged on a moving actuator arm, which read and write data to the platter surfaces. Data is accessed in a random-access manner, meaning that individual blocks of data can be stored or retrieved in any order rather than sequentially. HDDs retain stored data even when powered off. An HDD records data by magnetizing a thin film of ferromagnetic material on a disk. Sequential changes in the direction of magnetization represent binary data bits. The data is read from the disk by detecting the transitions in magnetization. User data is encoded using an encoding scheme, such as run-length limited encoding, which determines how the data is represented by the magnetic transitions.
In computer disk storage, a sector is a fixed-size division of the disk surface. The disk is divided into concentric tracks, and each track is further divided into sectors. Each sector stores a fixed amount of user-accessible data, traditionally 512 bytes for hard disk drives (HDDs) and 2048 bytes for CD-ROMs and DVD-ROMs. Newer HDDs use 4096-byte (4 KB) sectors, which are known as the Advanced Format (AF). Geometrically, the word sector means a portion of a disk between a center, two radii, and a corresponding arc. A sector is the smallest physical unit of storage on a disk. Sectors are accessed and written to at the lowest level of disk operations. Sectors are typically addressed using a Logical Block Addressing (LBA) scheme, where each sector is assigned a unique number.
After a high-level format has been performed, the filesystem will perform read and write operations on the disk in groupings of sectors called blocks (or clusters for the Windows operating system). A Cluster is the storage block of fixed size used by the file system. It contains a collection of adjacent sectors. It is a logical unit of storage used by file systems. It represents the smallest amount of disk space that can be allocated to store a file. For each newly generated file, the file system assigns a specific number of clusters. Every file will be stored from the beginning of the cluster or clusters allocated to them. As the operating system can only address clusters, rather than sectors which hard drives can, it means that files are stored on a hard drive in units of clusters and not sectors.
The file system is a systematic arrangement, which deals with the storing, accessing, and management of files on a storage media. It deals with the internal operations of a disk and its functionality is made abstract to the users. A typical disk contains its own file system, information regarding data storage, and its accessibility by any application or any user. Other operations of the file system include naming files, folders, or directories and managing access rules, metadata, and user privileges. It also deals with information like cluster and sector size, location of a file, file size, and hierarchical details of directories. It helps in the efficient working of all the files and applications on a particular disk. Commonly used file systems include NTFS (New Technology File System), FAT (FAT12, FAT16, FAT32), ex-FAT, for Windows, ext2, ext3, ext4 for Linux, Hierarchical File System (HFS), (HFS+)for MAC, ZFS(Zettabyte File System) for FreeBSD.
Slack Space
In Microsoft Windows operating systems, the default cluster sizes are shown in the table below:
|
Volume/Partition Size |
NTFS Cluster Size |
|
7 MB – 512 MB |
512 bytes |
|
513 MB – 1,024 MB (1 GB) |
1 KB |
|
1,025 MB – 2 GB |
2 KB |
|
2 GB – 2 TB |
4 KB |
As most PCs running a Windows OS have hard disk drives with partitions or volumes greater than 2 GB but less than 2 TB in size, the most common cluster size is 4 KB; each cluster contains 8 sectors that are 512 bytes in size. To view and verify this information for your live system, enter the following command in the Windows terminal.
fsutil fsinfo ntfsinfo c:
The area on the hard disk between the end-of-file indicator and the end of the cluster allocated to the file is referred to as the slack space for the file also called file slack. It occurs naturally because data rarely fill fixed storage locations exactly, and residual data occur when a smaller file is written into the same cluster as a previous larger file.
File storage entails the allocation of enough whole clusters to hold a file. Thus, a 2kb file will only fill half a 4kb cluster–the balance being slack space. A 13kb file will tie up four clusters, although just a fraction of the final, fourth cluster is occupied by the file. The balance is slack space and it could hold fragments of whatever was stored there before. Because it’s rare for files to be perfectly divisible by 4 kilobytes and many files stored are tiny, much drive space is lost to slack space. Using smaller clusters would mean less slack space, but any efficiencies gained would come at the cost of unwieldy file tracking and retrieval. Slack space holds forensic artifacts and those artifacts tend to hang around a long time. Forensic analysts can examine the slack space to find evidence of file manipulation, deletion, or encryption.
From previous paragraphs, it can be seen that a file has two different sizes, the logical file size: the actual size of the file, and the physical file size: the size given to the file on the hard drive. The physical file size is always greater than or equal to the logical file size. The difference between the physical file size and the logical file size is the file slack. File slack can contain anything at all, from fragments of web pages, emails, and even complete small pictures, to junk text. It is more often than not the latter, however complete EML files, and thumbnail pictures have been recovered than can prove an entire case.
Major divisions of file slack include RAM slack and Drive slack. Typically, a Windows file system uses chunks of 512 bytes whenever a file needs to be written to a disk. In such cases, if the last sector in the last cluster is not completely filled, then the OS fills those empty space with the random data from the RAM. This random data-filled area is called RAM Slack. RAM slack is concerned only with the last sector of a file. The remaining sectors, which form a part of the last cluster allocated by the file system, may be left as empty as the file data size can be very less in some cases. In such a scenario, OS does not fill this space as it did in the case of RAM slack and this unfilled area of remaining sectors is called Drive Slack. The figure shows the ram and drive slack space in a typical cluster of size 2048 bytes (2 KB). This cluster contains 4 sectors each of size 512 bytes totaling it to 2048 bytes. It is evident from the figure that the file data consumes the entire first sector and half of the second sector. The remaining half of the second sector will be filled by the random data from RAM thus generating RAM slack and sectors 3 and 4 will be left empty and this left unused space is the Drive slack.
Slack Space Forensic Analysis
When it comes to analyzing slack space, various tools and techniques are available. I am going to use Brian Carrier's the sleuthkit which comes default to Kali Linux with the strings command, and grep with regex to fetch artifacts of evidentiary value.
I will use the command blkls, which is part of the Sleuthkit. With this tool you can extract the slack space to a separate file. The option -f is used to specify the file system type while the -s option of blkls will extract data from slack space only. With this option, blkls will use the file size for every file on the disk, specified by the file system. It then checks for data from the end of that size boundary to the end of the associated cluster.
blkls -f fat fatimage.001 -s > fat-slack.blkls
The slack file will contain binary data that is of no use for keyword searching. Therefore, you need to extract the data that is in plain text. This will make your files significantly smaller and faster to search. The strings command in Linux will extract printable characters from a given file. By default, it looks for strings of at least 4 characters in length. You can change this default using the -n option followed by the desired number.
strings -a -t d fat-slack.blkls > fat-slack.str
The option -a (all) makes sure the whole file is searched. The option -t is used to print the byte offset in the file where the string is located and the d means to print that offset in decimal form.
The resultant output in plaintext is shown below:
Now we will use the grep command to search the image for any instance of an expression or pattern. We will use a number of options to make the output of grep more useful.
In my test image, the suspect was accused of using Adobe Photoshop to forge a picture with which he hoodwinked an unsuspecting victim and subsequently undertook some anti-forensic actions to clear every traces of the use of that software. Using grep to search for any pattern of Adobe Photoshop in slack space revealed evidence of the presence of the application on the suspect drive.
grep -i "Adobe" fat-slack.str
In your investigation, you may have many keywords to search for. In this case, you will need to make a list of your search keywords using your favorite text editor, ensuring that the strings you want to search for are each on a separate line and put each string in quotes. Make sure you do not have a new line at the end of your search list file. If you do, you will be searching for all occurrences of a new line!.
Now, run the following command:
grep -A 5 -B 5 -i -f searchlist.txt fat-slack.str > hits.txt
Keep in mind that slack space holds just a shard of data with its leading bytes overwritten. It may be overwritten minimally or overwritten extensively, but some part is obliterated, always. Too, slack space may hold the remnants of multiple deleted files; that is, as overlapping artifacts: files written, deleted overwritten by new data, deleted again, then overwritten again (just less extensively so). Slack can be a real mess.
Post a Comment