You asked: How can slack space be used to hide data?

Can data be hidden in slack space?

Slack space can be used to hide data from the operating system and other users. While some forms of data hiding are easily detectable, others are subtle and require an experienced forensic practitioner to discover the hidden data.

What is slack space and how is it used to identify hidden or previously deleted evidence?

When the computer’s hard drive is brand new, the space in a sector that is not used – the slack space – is blank, but that changes as the computer gets used. When a file is deleted, the operating system doesn’t erase the file, it simply makes the sector the file occupied available for reallocation.

What can be found in slack space?

Slack space refers to the storage area of a hard drive ranging from the end of a stored file to the end of that file cluster. In typical hard drives, the computer stores files on the drive in clusters of a certain file size. For example, the file system on the hard drive may store data in clusters of four kilobytes.

Why is it crucial to look up for data located at the slack space?

IMPORTANT: Data stored within slack spaces could be used to recover your logins and passwords, parts of your files, communications (for example your instant messenger archives) and many other traces that could lead to more interesting information about you.

How do I see slack spaces?

The best way to start is to look at a Word document with a Hex Editor, and then find some kind of code at the very beginning of the file, which you will likely see on all word documents. Once you find such code, you will be able to search for this in the slack space.

What is data hiding in forensics?

Data hiding. Data hiding is the process of making data difficult to find while also keeping it accessible for future use. “Obfuscation and encryption of data give an adversary the ability to limit identification and collection of evidence by investigators while allowing access and use to themselves.”

What is the difference slack space and free space?

Unallocated space, also called free space, is defined as the unused portion of the hard drive; file slack is the unused space that is created between the end-of-file marker and the end of the hard drive cluster in which the file is stored.

Why is slack space a vulnerability?

5) Slack Space: A file system may not use an entire partition. The space after the end of the volume called volume slack that can be used to hide data. The space between Partitions is also vulnerable for hiding data, file slack space is another hidden storage.

Can slack space contain fragments of a previous file?

The balance is slack space and it could hold fragments of whatever was stored there before. Because it’s rare for files to be perfectly divisible by 4 kilobytes and many files stored are tiny, much drive space is lost to slack space.

What type of slack space deals with unused space between the end of the file system and the end of the partition where the file system resides?

Volume slack is the unused space between the end of file system and end of the partition where the file system resides.

What is allocated space?

Unallocated space, also referred to as “free space,” is the area on a hard drive where new files can be stored. Conversely, allocated space is the area on a hard drive where files already reside.