To understand slack space you must first understand how a computer
manages files. This is quite simple. When you create a file, such as a
word document, your computer assigns it a place in the File Allocation
Table (FAT), creates a directory entry and saves the file to a cluster
on the hard drive. For now we will call the file "forensics.docx" and we
are going to pretend the document was 3 pages long with approximately
900 words and 7100 characters. (Characters include each letter of a word
and the spaces in between. They are basically each stroke of the
keyboard that is recorded by the computer.)
To further simplify that
it basically files the document away using the computers storage
system. The equivalent of that in the real world is the same as a
doctor's office labeling a manila folder with your name and a unique
identifying number (this is like using the FAT on a computer) so they
can find you easier when you return and then placing that file into
their records room (this is like the hard drive). The directory in an
office setting is the nurse's knowledge of the offices record keeping.
For example, they may assign all the patients by birth date and an
initial for their last name resulting in a number such as 19841201B. On a
computer you would see the directory as something like
"C://User/Documents/forensics.docx" while logged into your user account.
When you delete a document or send it to the recycle bin on newer
Window's operating systems, the file is not actually deleted. The first
letter of the file name is changed by the system and the FAT entry is
voided to indicate that the file can be ignored. The document is still
there in the same place, but it cannot be seen any longer because the
computer is ignoring it.
Now you have a new document to save.
Let's consider that you name the new document the exact same name as the
original document. This forensics.docx is only two pages long and less
than 600 words. The computer completes the same activities when you save
it. However, it may not have saved the file in the exact same place as
the original. (Going back to the doctor's office example, the files
would not have the same birth date and therefore may not be in the same
location.)
If by chance the computer does save the file to the
exact same location, it would only save the new document over part of
the old document because the new document is smaller and does not need
as much space. This leaves the remaining 300+ words of space that the
original document used still visible to forensic software. This
additional space is called "slack space" and is one of the first places a
computer forensics examiner would look.
Now, let's consider one
more possibility. You want to make sure the document is deleted and
that no evidence remains that you created it. So you open the document
instead of using the delete button on your keyboard. You highlight all
900 words in the document and you press the backspace key. Then you
paste in some other words and save the document using the original name.
The document has changed, those words are no longer there and you think
you've beaten the system. You haven't! Unless you replace all 900 words
and 7100 characters, there will still be remnants of the old
information still in your slack space.
Then there is also the
possibility that once upon a time your computer shut down while you were
working on the document and there is an auto save copy on the hard
drive you didn't know existed. If you printed it, there is the copy of
the file that was spooled for printing still on the hard drive. Your
best option -- don't save incriminating documents on your hard drive in
the first place. Electronic evidence is often harder to dispute than
real life evidence in a court of law.
No comments:
Post a Comment