Computer Data Forensics Drive Slack and Format

1
Computer Data ForensicsDrive Slack and Format
Lab 2 Concept

• Joe Cleetus
• Concurrent Engineering Research Center,
• Lane Dept of Computer Science and Engineering, WVU

2
Slack Definition

• The amount of disk space that is wasted by having
  a large cluster size.
• For example, if a 300-byte file is stored on a
  disk with a cluster size of 1,024 bytes
• - there will be 724 bytes of slack space that
  can't be used for any other files.
• You can see how much space is allocated to a file
  by typing "DIR /v" at the command prompt.

Cluster size This is the smallest amount of hard
disk space a file can occupy. Floppies have a
cluster size of 512 bytes and hard disks can have
a cluster size ranging from 1 kilobyte to
16/32/64 kilobytes (sometimes even more). The
larger the partition the larger the cluster size.
3
RAM Slack

• Clusters made up of sectors
• For example, if a 300-byte file is stored on a
  disk If the file size is not an exact multiple of
  the sector size, the last sector is padded with
  bytes from memory called RAM Slack
• RAM Slack can contain any information in memory
  that may have been created, viewed, modified,
  downloaded or copied during work sessions
• RAM slack occurs only in the sector of a file
  immediately after the last file character.
• RAM slack is produced by the fact the disk is
  written from a 512-byte memory buffer

4
Drive Slack

• Drive slack occurs, in addition to RAM slack,
  when a file is recorded, if the padding required
  extends to more than one sector
• Then the sector containing the last character of
  the file up to the end of that sector, is
  entirely RAM slack
• And the following padding sector(s) contain DRIVE
  slack
• Drive slack consists of whatever those extra
  sectors contained on the disk, prior to being
  written with this file
• Hence Drive slack may have pieces of previously
  deleted files, or the format padding characters
  (if it was unused since formatting)

5
Drive Slack example

• Assume a 2-sector cluster size and a file is
  written with the characters Hello
• Then the data on disk looks as follows--
• Hello------------------------
  (EOF)
• RAM Slack is indicated by ""Drive Slack is
  indicated by "-"

6
Slack Persists

• File slack is created when the data is written to
  disk
• When the file is deleted by normal OS utilities
  the data remains intact
• But the space it occupied is deallocated from the
  FAT
• The data remains intact until that space is
  allocated to and overwritten by another file
  created
• So to the Slack contained in the last cluster
  (RAM Drive slack) of the deleted file remains

7
Significance of Slack

• File slack contains random data dumped from
  memory
• Hence it may have passwords, logon names, phone
  numbers, and other sensitive information
• Slack can have traces that indicate past uses to
  which the computer has been put
• Slack could be large (hundreds of MB) but it
  deserves a thorough analysis
• Fragments of e-mail, word processor text, etc.
  can show up

Slack, an artifact of the OS file system, is a
godsend to forensic investigators
8
References

• File slack, RAM slack and Drive slack defined
• http//www.forensics-intl.com/def6.html
• http//www.whitecanyon.com/library
  _understanding_terms.htm

9
Slack Example of a Document
Temp 1
Beginning of file
Slack
SWAP
File
Timed Backup
Document
Slack
Slack
Printer
Slack
Temp 2
End of file
Slack
10
Slack Example of a Document
11
Slack Notes

• For a single document you have many places it may
  be found
• Judges think you have only one piece of evidence
  wrong!
• If you even take a floppy from a classified
  computer and print on another, the Print spooling
  file contains the data.

12
Format

• Quick Format vs Complete Format
• Quick Format is the high level format. High Level
  non-destructive, because it leaves data
  untouched, but frees all the clusters in the FAT
  table. Logically creates disk space, i.e., it
  will create a BOOT Record, FAT table, and Root
  Directory.
• e.g.
• FORMAT C non-destructive FAT, all clusters are
  shown as unused, so all pointers are reset, and
  the root directory is cleared.
• FORMAT A/Q also high level
• Complete Format is the low level format.
  Low-level destroys data by writing a pattern
  all through the sectors of the clusters.
  Physically creates sectors and tracks.
• e.g.
•   FORMAT A/U low-level format (U unconditional)
• On HD low-level formatting is done at the
  factory. There are non-DOS utilities that write
  only sector IDs to make them readable

13
Utility for Lab 2

• Diskedit
• NTI GETSLACK
•  
• Function Write contents of slack space on
  drive to a file.
• Platform MS-DOS, Windows 3.x, Windows 9x
  (console mode)
• Invocation
• To estimate output file space
  needed
• GETSLACK drive drive...
• To write free space to an output
  file
• GETSLACK filename drive
  drive...
• More than one drive may be
  specified.
•  
• In addition /f may be specified anywhere on the
  command line to filter non-printable values from
  the output, and /l may be specified anywhere on
  the command line to limit the size of the output
  file from the default size of 2.1 GB. (i.e.
  /lxxx would set the size to any size less than
  2.1 GB.)

14
Utility for Lab 2

• NTI TXTSRCHP
• TextSearch Plus is compatible with FAT 12, FAT
  16 and FAT 32 systems. The program also
  identifies graphic files (potential steg) and
  performs text search of files, file slack,
  unallocated space and physical sectors. This
  program has been validated by and is used by
  numerous Fortune 500 corporations, all of the Big
  5 accounting firms and several government
  agencies that deal with classified data.

15
Utility for Lab 2

• NTI FILTER_I
•  
• It is used to aid in the identification of ASCII
  text, word combinations, passwords, network
  logons and English language text strings. Such
  identification is made from ambient data, i.e.
  data found in Windows swap files and files
  created from file slack and unallocated space.
  This program is primarily used to identify
  unknowns and thus aid in the creation of
  keyword lists for use with forensic text search
  programs. The program is also ideal for
  identification of security risks and corporate
  policy violations.

16
Utility for Lab 2

• NTI FILTER_I (continued)
• FILTER (Option 1)
• This option is used to filter a specific file
  and to replace all occurrences of non-ASCII data
  with spaces. When this option is used the
  resulting file remains the same as the original.
• FILTER (Option 2)
• This option is used to filter a specific file
  and to replace all occurrences of non-ASCII data
  with one space per group of non-ASCII data. When
  this option is used the resulting file is smaller
  than the original.

17
Utility for Lab 2

• NTI FILTER_I (continued)
• GRAMMAR (Option 3)
• This option relies upon a predefined listing of
  common English words that are embedded into the
  program. This feature can be useful in the
  identification of data that may contain fragments
  of e-mail messages or word processing documents.
  This option normally results in a smaller output
  file when compared with the output of the first
  and second options.
• INTEL (Option 4)
• This option relies upon a fuzzy logic technique
  to identify English Language patterns. This
  feature can be useful in the identification of
  data that may contain the logon or password of
  the computer user involved. This option normally
  results in a smaller output file when compared
  with the output of the first option.
• NAMES (Option 5)
• This option was created at the request of the
  Royal Canadian Mounted Police. The option is used
  to identify names of individuals listed in
  computer data. Many times criminal associates are
  involved but their existence or identity is
  unknown to law enforcement. When this feature is
  used, it sifts through huge files and identifies
  individuals who may be associated with the user
  of the computer. The output from this option
  normally results in a smaller output file when
  compared with the output of the first option.