Invoke-IR / PowerForensics

PowerForensics provides an all in one platform for live disk forensic analysis
MIT License
1.39k stars 274 forks source link

Differentiate between RAM Slack and File Slack #136

Open jaredcatkinson opened 8 years ago

jaredcatkinson commented 8 years ago

RAM Slack is defined as the slack space in the last written sector of a file, while file slack is defined as the unwritten sectors left in a cluster.

jaredcatkinson commented 8 years ago

Not sure if these should be implemented as unique cmdlets or as options on Get-FileSlack.

jaredcatkinson commented 8 years ago

Example, if a NTFS volume has a cluster size of 4096 bytes then all files allocate bytes in 4096 byte chunks. So if a file contains 100 bytes of content, then 4096 bytes will be allocated. In general, Slack Space is the 3996 bytes that are allocated, but not used by the file system.

When differentiating between RAM slack space and file slack space one must consider the size of a sector. Disks must be written to in sector size chunks (typically 512 bytes). RAM slack space is the sectors unused area, so in our example the final 412 bytes of the file's first sector make up the RAM slack. The remaining seven sectors (bytes 512 - 4096) are considered file slack.