Computer Data Forensics Drive Slack and Format – Lab 2 Concept Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering,

Slides:



Advertisements
Similar presentations
Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Advertisements

Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)
Operating Systems File Management.
Text Searches Slack Space Unallocated Space
SEMINAR ON FILE SLACK AND DISK SLACK
BACS 371 Computer Forensics
Computer Forensics BACS 371
Effective Discovery Techniques In Computer Crime Cases.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Chapter 10: File-System Interface
File System Analysis.
FILE SYSTEMS. File Names 1 to 255 characters in length  This includes the path You can use uppercase and lowercase (case-aware, but not case-sensitive)
11/13/01CS-550 Presentation - Overview of Microsoft disk operating system. 1 An Overview of Microsoft Disk Operating System.
File Management Systems
Managing Your Hard Disk and Operating System 23,26 March :30pm - 4:00pm.
Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.
CS 104 Introduction to Computer Science and Graphics Problems Operating Systems (4) File Management & Input/Out Systems 10/14/2008 Yang Song (Prepared.
Chapter 12 File Management Systems
COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.
FILES  A file is a collection of related information  Files are kept in directories on a disk.
Files & Partitions BACS 371 Computer Forensics. Data Hierarchy Computer Hard Disk Drive Partition File Physical File Logical File Cluster Sector Word.
F ILE S YSTEMS comparison of FAT, NTFS, and Linux.
Objectives Learn what a file system does
Chapter 8 File Management
Presented to: Sir Ahmad Karim
Disk Structures. CTEC 1102 Formatting a Disk Two parts to formatting a disk:  Low-level (physical) formatting  High level (logical) formatting Low-level.
 FILE S SYSTEM  DIFFERENT FILE SYSTEMS  FILE SYSTEM COMPONENTS  FILE OPERATIONS  LOG STRUCTERD FILE SYSTEM  FILE EXAMPLES.
Rensselaer Polytechnic Institute CSCI-4210 – Operating Systems David Goldschmidt, Ph.D.
1 Chapter 12 File Management Systems. 2 Systems Architecture Chapter 12.
Ch 21 Command Syntax Using the DIR Command with Parameters and Wildcards.
Lecture 9: The FAT and VFAT Filesystems 6/16/2003 CSCE 590 Summer 2003.
Window NT File System JianJing Cao (#98284).
Introduction to Hard Drives Chapter 6 - Key Terms Information Compiled by Diane Ferris, Michele Henderson & Vicki Kertz.
GCSE Information Technology Storing data Data storage devices can be divided into 2 main categories: Backing storage is used to store programs and data.
Bits, Bytes, Files, Hard Drives. Bits, Bytes, Letters and Words ● Bit – single piece of information ● Either a 0 or a 1 ● Byte – 8 bits of information.
PC Maintenance: Preparing for A+ Certification Chapter 10: Introduction to Disk Storage.
Microsoft Office 2008 for Mac – Illustrated Unit C: Understanding File Management.
File System Management File system management encompasses the provision of a way to store your data in a computer, as well as a way for you to find and.
1 Interface Two most common types of interfaces –SCSI: Small Computer Systems Interface (servers and high-performance desktops) –IDE/ATA: Integrated Drive.
Managing Disks and Drives Chapter 13 powered by dj.
The disk surface is divided into tracks. into tracks. 1.
File System Interface. File Concept Access Methods Directory Structure File-System Mounting File Sharing (skip)‏ File Protection.
OSes: 11. FS Impl. 1 Operating Systems v Objectives –discuss file storage and access on secondary storage (a hard disk) Certificate Program in Software.
Getting Started Additional information. Important DOS Commands Getting Started dirlists disk directories verdisplays OS version clsclear command prompt.
Chapter 3 Partitioning Drives using NTFS and FAT32 Prepared by: Khurram N. Shamsi.
The Functions of Operating Systems Desktop PC Operating Systems.
File Storage Organization The majority of space on a device is reserved for the storage of files. When files are created and modified physical blocks are.
Disk & File System Management Disk Allocation Free Space Management Directory Structure Naming Disk Scheduling Protection CSE 331 Operating Systems Design.
FAT File Allocation Table
FILE SYSTEMS. Presented to: Sir. Ahmad Kareem Presented by: Sadia Rasheed Bsit
UNIX & Windows NT Name: Jing Bai ID: Date:8/28/00.
Chapter 8: Installing Linux The Complete Guide To Linux System Administration.
Chapter 6 File Systems. Essential requirements 1. Store very large amount of information 2. Must survive the termination of processes persistent 3. Concurrent.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 File Systems September 22, 2008.
Slide 6-1 Chapter 6 System Software Considerations Introduction to Information Systems Judith C. Simon.
Virtual Memory Pranav Shah CS147 - Sin Min Lee. Concept of Virtual Memory Purpose of Virtual Memory - to use hard disk as an extension of RAM. Personal.
Chapter 8 File Systems FAT 12/16/32. Defragmentation Defrag a hard drive – Control Panel  System and Security  Administration tools  Defrag hard drive.
The Desktop Screen image displayed when a PC starts up A metaphor
Windows XP File Systems
Command Syntax Chapter 2 Using the DIR Command with
File Management.
File Managements.
Forensic Concept of Data
Lecture 15 Reading: Bacon 7.6, 7.7
COMP1321 Digital Infrastructures
Operating Systems Tasks 17/02/2019.
File system : Disk Space Management
Department of Computer Science
FAT File System.
Chapter 5 File Systems -Compiled for MCA, PU
Presentation transcript:

Computer Data Forensics Drive Slack and Format – Lab 2 Concept Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering, WVU

Slack – Definition The amount of disk space that is wasted by having a large cluster size. For example, if a 300-byte file is stored on a disk with a cluster size of 1,024 bytes - there will be 724 bytes of slack space that can't be used for any other files. You can see how much space is allocated to a file by typing "DIR /v" at the command prompt. Cluster size: This is the smallest amount of hard disk space a file can occupy. Floppies have a cluster size of 512 bytes and hard disks can have a cluster size ranging from 1 kilobyte to 16/32/64 kilobytes (sometimes even more). The larger the partition the larger the cluster size.

RAM Slack Clusters made up of sectors For example, if a 300-byte file is stored on a disk If the file size is not an exact multiple of the sector size, the last sector is padded with bytes from memory – called RAM Slack RAM Slack can contain any information in memory that may have been created, viewed, modified, downloaded or copied during work sessions RAM slack occurs only in the sector of a file immediately after the last file character. RAM slack is produced by the fact the disk is written from a 512-byte memory buffer

Drive Slack Drive slack occurs, in addition to RAM slack, when a file is recorded, if the padding required extends to more than one sector Then the sector containing the last character of the file up to the end of that sector, is entirely RAM slack And the following padding sector(s) contain DRIVE slack Drive slack consists of whatever those extra sectors contained on the disk, prior to being written with this file Hence Drive slack may have pieces of previously deleted files, or the format padding characters (if it was unused since formatting)

Drive Slack example Assume a 2-sector cluster size and a file is written with the characters “Hello” Then the data on disk looks as follows:-- Hello | (EOF) RAM Slack is indicated by "+" Drive Slack is indicated by "-"

Slack Persists File slack is created when the data is written to disk When the file is deleted by normal OS utilities the data remains intact But the space it occupied is deallocated from the FAT The data remains intact until that space is allocated to and overwritten by another file created So to the Slack contained in the last cluster (RAM + Drive slack) of the deleted file remains

Significance of Slack File slack contains random data dumped from memory Hence it may have passwords, logon names, phone numbers, and other sensitive information Slack can have traces that indicate past uses to which the computer has been put Slack could be large (hundreds of MB) but it deserves a thorough analysis Fragments of , word processor text, etc. can show up Slack, an artifact of the OS file system, is a godsend to forensic investigators

References File slack, RAM slack and Drive slack defined _understanding_terms.htm:// _understanding_terms.htm

Slack – Example of a Document Document Slack Temp 1 Slack Timed Backup Slack Printer Slack Temp 2 Slack File SWAP Beginning of file End of file

Slack – Example of a Document

Slack Notes For a single document you have many places it may be found Judges think you have only one piece of evidence – wrong! If you even take a floppy from a classified computer and print on another, the Print spooling file contains the data.

Format Quick Format vs Complete Format: Quick Format is the high level format. High Level – non- destructive, because it leaves data untouched, but frees all the clusters in the FAT table. Logically creates disk space, i.e., it will create a BOOT Record, FAT table, and Root Directory. e.g. FORMAT C: non-destructive FAT, all clusters are shown as unused, so all pointers are reset, and the root directory is cleared. FORMAT A:/Q also high level Complete Format is the low level format. Low-level – destroys data by writing a pattern all through the sectors of the clusters. Physically creates sectors and tracks. e.g. FORMAT A:/U low-level format (U= unconditional) On HD low-level formatting is done at the factory. There are non-DOS utilities that write only sector IDs to make them readable

Utility for Lab 2 Diskedit NTI GETSLACK Function: Write contents of slack space on drive to a file. Platform: MS-DOS, Windows 3.x, Windows 9x (console mode) Invocation: To estimate output file space needed: GETSLACK drive: [drive:...] To write free space to an output file: GETSLACK filename drive: [drive:...] More than one drive may be specified. In addition: /f may be specified anywhere on the command line to filter non-printable values from the output, and /l may be specified anywhere on the command line to limit the size of the output file from the default size of 2.1 GB. (i.e. /l:xxx would set the size to any size less than 2.1 GB.)

Utility for Lab 2 NTI TXTSRCHP TextSearch Plus is compatible with FAT 12, FAT 16 and FAT 32 systems. The program also identifies graphic files (potential steg) and performs text search of files, file slack, unallocated space and physical sectors. This program has been validated by and is used by numerous Fortune 500 corporations, all of the Big 5 accounting firms and several government agencies that deal with classified data.

Utility for Lab 2 NTI FILTER_I It is used to aid in the identification of ASCII text, word combinations, passwords, network logons and English language text strings. Such identification is made from ambient data, i.e. data found in Windows swap files and files created from file slack and unallocated space. This program is primarily used to identify ‘unknowns’ and thus aid in the creation of keyword lists for use with forensic text search programs. The program is also ideal for identification of security risks and corporate policy violations.

Utility for Lab 2 NTI FILTER_I (continued) FILTER (Option 1) This option is used to filter a specific file and to replace all occurrences of non-ASCII data with spaces. When this option is used the resulting file remains the same as the original. FILTER (Option 2) This option is used to filter a specific file and to replace all occurrences of non-ASCII data with one space per group of non-ASCII data. When this option is used the resulting file is smaller than the original.

Utility for Lab 2 NTI FILTER_I (continued) GRAMMAR (Option 3) This option relies upon a predefined listing of common English words that are embedded into the program. This feature can be useful in the identification of data that may contain fragments of messages or word processing documents. This option normally results in a smaller output file when compared with the output of the first and second options. INTEL (Option 4) This option relies upon a fuzzy logic technique to identify English Language patterns. This feature can be useful in the identification of data that may contain the logon or password of the computer user involved. This option normally results in a smaller output file when compared with the output of the first option. NAMES (Option 5) This option was created at the request of the Royal Canadian Mounted Police. The option is used to identify names of individuals listed in computer data. Many times criminal associates are involved but their existence or identity is unknown to law enforcement. When this feature is used, it sifts through huge files and identifies individuals who may be associated with the user of the computer. The output from this option normally results in a smaller output file when compared with the output of the first option.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.