• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

File slack

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Computer Forensics and Incident Response

View previous topic :: View next topic  
Author Message
dingarules
Just Arrived
Just Arrived


Joined: 14 Jan 2008
Posts: 0


Offline

PostPosted: Fri Jan 25, 2008 12:27 am    Post subject: File slack Reply with quote

I understand what is file slack, and its potential use in digital forensics.
What I don't understand is why OS would dump random memory into file slack?
It is said that file slack is created at the time a file is saved to disk, and postentially important data may be saved int the file slack, but why would OS do that? Is there any practical value by doint it?
Back to top
View user's profile Send private message
The_Real_Gandalf
Trusted SF Member
Trusted SF Member


Joined: 14 Apr 2004
Posts: 0
Location: Athens,Greece

Offline

PostPosted: Thu Feb 07, 2008 3:41 pm    Post subject: Reply with quote

yes...but it can not be done in an automatic way.

Paging file, memory dump and other bit/bytes files could be hidden there , by user's intervention with programming skills as a way to erase/hide clues of his actions , while calling system APIs. This will make his actions invisible to people who are not familiar with slack spaces.

In other words a simple tech guy , wont be able to find out if there is any weird action going on , if all memory dump is stored in that area.


Gandalf
Back to top
View user's profile Send private message Visit poster's website AIM Address
capi
SF Senior Mod
SF Senior Mod


Joined: 21 Sep 2003
Posts: 16777097
Location: Portugal

Offline

PostPosted: Thu Feb 07, 2008 10:11 pm    Post subject: Reply with quote

dingarules wrote:
It is said that file slack is created at the time a file is saved to disk, and postentially important data may be saved int the file slack, but why would OS do that? Is there any practical value by doint it?

This not something done on purpose; it's the natural result of overwriting previously existing data.

In most common filesystems, when you erase a file, its contents aren't physically erased from the disk. The filesystem simply forgets about the existence of that file, and declares the space previously occupied by its data to be free. New files (or old files that grow) will overwrite free areas, but whenever their size is not a multiple of the filesystem's disk allocation unit ("cluster" in FAT terms), a portion of the last allocation unit will remain non-overwritten. Since a given allocation unit (cluster) can only be allocated to a single file, this wasted space will never be overwritten, unless the file it belongs to grows in size (or is itself deleted, thus freeing up the allocation unit for some other file).

Think of it like a cassette tape, where you record a song over a previously existing one, but the old song was longer than the new one. Normally, you'll only play up until the end of the new song, but the old stuff is still there after that, and can be recovered by anyone who looks at the whole tape.
Back to top
View user's profile Send private message
The_Real_Gandalf
Trusted SF Member
Trusted SF Member


Joined: 14 Apr 2004
Posts: 0
Location: Athens,Greece

Offline

PostPosted: Fri Feb 08, 2008 11:54 am    Post subject: Reply with quote

this is a very good and quite explanatory link, if you care to take a look.

http://www.forensics-intl.com/def6.html

Gandalf
Back to top
View user's profile Send private message Visit poster's website AIM Address
dingarules
Just Arrived
Just Arrived


Joined: 14 Jan 2008
Posts: 0


Offline

PostPosted: Sun Feb 17, 2008 4:07 am    Post subject: Thanks, but my question still not answered. Reply with quote

The following is a quote from the link Gandalf provided. My question again is why OS dump RAMs data to pad the remaining space in the last sector? Is it becase it is easier to do than padding with zeros/ones?

========================
If there is not enough data in the file to fill the last sector in a file, DOS/Windows makes up the difference by padding the remaining space with data from the memory buffers of the operating system. This randomly selected data from memory is called RAM Slack because it comes from the memory of the computer. RAM Slack can contain any information that may have been created, viewed, modified, downloaded or copied during work sessions that have occurred since the computer was last booted. Thus, if the computer has not been shut down for several days, the data stored in file slack can come from work sessions that occurred in the past.
Back to top
View user's profile Send private message
capi
SF Senior Mod
SF Senior Mod


Joined: 21 Sep 2003
Posts: 16777097
Location: Portugal

Offline

PostPosted: Sun Feb 17, 2008 2:38 pm    Post subject: Reply with quote

That is not an accurate description of how modern filesystem implementations store data. A filesystem doesn't just "select random data from RAM buffers" to do the padding. Padding, when necessary, is done with zeroes (or some other equally non-informative source, such as e.g. on cryptographic systems by using pseudo-random data). An implementation that writes out memory buffers to disk for use as padding, without clearing the data first, is broken, period.

Data leaks occur at the level of previously existing data on the disk, which hasn't been overwritten (either because it's free space or because it's a left over part of the last allocation unit of a file).
Back to top
View user's profile Send private message
Groovicus
Trusted SF Member
Trusted SF Member


Joined: 19 May 2004
Posts: 9
Location: Centerville, South Dakota

Offline

PostPosted: Sun Feb 17, 2008 4:02 pm    Post subject: Reply with quote

Quote:
A filesystem doesn't just "select random data from RAM buffers" to do the padding.


Actually, it is my understanding that it does exactly that; or maybe I am misunderstanding. I think I originally found that in my file system forensics book by Brian Carrier, and I can find that same claim on numerous websites. Windows uses zeroes when padding ram slack.

Quote:
If there is not enough data in the file to fill the last sector in a file, DOS/Windows makes up the difference by padding the remaining space with data from the memory buffers of the operating system. This randomly selected data from memory is called RAM Slack because it comes from the memory of the computer.

http://www.forensics-intl.com/def6.html

Or alternatively, my wife switched me to decaff again, and I am having a caffeine withdrawal. Laughing

Quote:
An implementation that writes out memory buffers to disk for use as padding, without clearing the data first, is broken, period.

That's what I think also, but it sure makes for a potential goldmine of information.
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Computer Forensics and Incident Response All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register