Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Forensics BACS 371

Published byMaxim Luman Modified over 9 years ago

Similar presentations

Presentation on theme: "Computer Forensics BACS 371"— Presentation transcript:

1 Computer Forensics BACS 371
File Slack Summary

2 Places to hide evidence
4/14/2017 Places to hide evidence Evidence can be hidden in many places within a disk. The notion of “empty space” on a disk is more complicated than you might suspect. The question becomes “what are the different types of empty space?” Unused (bad blocks, deleted file space, network protocol fields) Unallocated space (free space, unused sectors) File slack (unused space at the end of each file) (c) ITT Educational Services, Inc.

3 File Collection of Information written to a disk
Generally created in an application-specific format Occupies a fixed number of clusters Each file’s cluster has a pointer to the next cluster in the file The final cluster contains the End of File (EOF) marker

4 Files Logical File Size Physical File Size File Slack
Exact size of contents of file in bytes Physical File Size Amount of space a file occupies on disc in bytes File Slack Unused space between logical end of file and physical end of a cluster Two types: RAM slack and Disk Slack Physical File Size <- Logical File Size -> <- File Slack ->

5 File Slack What does File Slack Contain? Who knows??!!
Old data that was deleted but not overwritten yet May contain remnants of older files, or other evidence including Passwords Old directory structures Miscellaneous information ….

6 File Slack Example Hello World! Has 12 Characters in the file
But occupies 4096 bytes on the disk!

7 File Slack Example

8 File Slack Example File Contents: “Hello world!” 12 bytes 3rd Sector
Disk Slack: 4096 Bytes – 512 Bytes = 3584 Bytes RAM slack – to the end of the sector DISK slack – to the end of the cluster Assumptions: Sector Size = 512 Bytes Cluster Size = 4KB = 8 Sectors 2nd Sector RAM Slack: 512 bytes – 12 bytes = 500 bytes

9 File Slack Summary RAM Slack Disk Slack
Unused space at the end of a sector. Contains information adjacent to the stored information from Main Memory (RAM). Example: The file has only 12 characters, but must write a minimum 512-byte block to the disk – the other 500 characters are whatever happen to be in RAM at the time. Disk Slack Unused space at the end of the cluster. Contains information left over on the disk from prior files. Example: The file system must always write in multiples of clusters (4096 bytes in this case.) The other 3584 bytes (7 sectors) are filled with whatever used to be in the clusters before they were marked for deletion.

Download ppt "Computer Forensics BACS 371"

Similar presentations

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Operating Systems File Management.

Operating Systems File Management.
Chapter 4 : File Systems What is a file system?

Chapter 4 : File Systems What is a file system?
Text Searches Slack Space Unallocated Space

Text Searches Slack Space Unallocated Space
Computer Data Forensics Drive Slack and Format – Lab 2 Concept Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering,

Computer Data Forensics Drive Slack and Format – Lab 2 Concept Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering,
SEMINAR ON FILE SLACK AND DISK SLACK

SEMINAR ON FILE SLACK AND DISK SLACK
BACS 371 Computer Forensics

BACS 371 Computer Forensics
File System Analysis.

File System Analysis.
File Systems.

File Systems.
File Management Systems

File Management Systems
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.

Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.
METU Department of Computer Eng Ceng 302 Introduction to DBMS Disk Storage, Basic File Structures, and Hashing by Pinar Senkul resources: mostly froom.

METU Department of Computer Eng Ceng 302 Introduction to DBMS Disk Storage, Basic File Structures, and Hashing by Pinar Senkul resources: mostly froom.
1 Friday, July 07, 2006 “Vision without action is a daydream, Action without a vision is a nightmare.” - Japanese Proverb.

1 Friday, July 07, 2006 “Vision without action is a daydream, Action without a vision is a nightmare.” - Japanese Proverb.
Copyright © 2007 Ramez Elmasri and Shamkant B. Navathe Chapter 13 Disk Storage, Basic File Structures, and Hashing.

Copyright © 2007 Ramez Elmasri and Shamkant B. Navathe Chapter 13 Disk Storage, Basic File Structures, and Hashing.
Avishai Wool lecture 12 - 1 Introduction to Systems Programming Lecture 12 File Systems.

Avishai Wool lecture Introduction to Systems Programming Lecture 12 File Systems.
Wince File systems. File system on embedded File system choice on embedded is important –File system size can be an issue –Different media are used –

Wince File systems. File system on embedded File system choice on embedded is important –File system size can be an issue –Different media are used –
Basic File Recovery Techniques BACS 371 Computer Forensics.

Basic File Recovery Techniques BACS 371 Computer Forensics.
Files & Partitions BACS 371 Computer Forensics. Data Hierarchy Computer Hard Disk Drive Partition File Physical File Logical File Cluster Sector Word.

Files & Partitions BACS 371 Computer Forensics. Data Hierarchy Computer Hard Disk Drive Partition File Physical File Logical File Cluster Sector Word.
BACS 371 Computer Forensics

BACS 371 Computer Forensics

Similar presentations

Ads by Google