Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering, WVU. Computer Data Forensics Drive Slack and Format – Lab 2 Concept. Slack – Definition. The amount of disk space that is wasted by having a large cluster size.
Concurrent Engineering Research Center,
Lane Dept of Computer Science and Engineering, WVU
Cluster size: This is the smallest amount of hard disk space a file can occupy. Floppies have a cluster size of 512 bytes and hard disks can have a cluster size ranging from 1 kilobyte to 16/32/64 kilobytes (sometimes even more). The larger the partition the larger the cluster size.
Slack, an artifact of the OS file system, is a godsend to forensic investigators
Beginning of file
End of file
Quick Format vs Complete Format:
FORMAT C: non-destructive FAT, all clusters are shown as unused, so all pointers are reset, and the root directory is cleared.
FORMAT A:/Q also high level
FORMAT A:/U low-level format (U= unconditional)
On HD low-level formatting is done at the factory. There are non-DOS utilities that write only sector IDs to make them readable
Function: Write contents of slack space on drive to a file.
Platform: MS-DOS, Windows 3.x, Windows 9x (console mode)
To estimate output file space needed:
GETSLACK drive: [drive:...]
To write free space to an output file:
GETSLACK filename drive: [drive:...]
More than one drive may be specified.
In addition: /f may be specified anywhere on the command line to filter non-printable values from the output, and /l may be specified anywhere on the command line to limit the size of the output file from the default size of 2.1 GB. (i.e. /l:xxx would set the size to any size less than 2.1 GB.)
TextSearch Plus is compatible with FAT 12, FAT 16 and FAT 32 systems. The program also identifies graphic files (potential steg) and performs text search of files, file slack, unallocated space and physical sectors. This program has been validated by and is used by numerous Fortune 500 corporations, all of the Big 5 accounting firms and several government agencies that deal with classified data.
It is used to aid in the identification of ASCII text, word combinations, passwords, network logons and English language text strings. Such identification is made from ambient data, i.e. data found in Windows swap files and files created from file slack and unallocated space. This program is primarily used to identify ‘unknowns’ and thus aid in the creation of keyword lists for use with forensic text search programs. The program is also ideal for identification of security risks and corporate policy violations.
FILTER (Option 1)
This option is used to filter a specific file and to replace all occurrences of non-ASCII data with spaces. When this option is used the resulting file remains the same as the original.
FILTER (Option 2)
This option is used to filter a specific file and to replace all occurrences of non-ASCII data with one space per group of non-ASCII data. When this option is used the resulting file is smaller than the original.
GRAMMAR (Option 3)
This option relies upon a predefined listing of common English words that are embedded into the program. This feature can be useful in the identification of data that may contain fragments of e-mail messages or word processing documents. This option normally results in a smaller output file when compared with the output of the first and second options.
INTEL (Option 4)
This option relies upon a fuzzy logic technique to identify English Language patterns. This feature can be useful in the identification of data that may contain the logon or password of the computer user involved. This option normally results in a smaller output file when compared with the output of the first option.
NAMES (Option 5)
This option was created at the request of the Royal Canadian Mounted Police. The option is used to identify names of individuals listed in computer data. Many times criminal associates are involved but their existence or identity is unknown to law enforcement. When this feature is used, it sifts through huge files and identifies individuals who may be associated with the user of the computer. The output from this option normally results in a smaller output file when compared with the output of the first option.