Fragmentation (computing)#Internal fragmentation
Slack is the name for an offset, while saving block- oriented storage devices. He is not the same as not alloziertem or unalloziertem memory.
Slack can be divided into the following types:
File - Slack
The term File Slack (German file - offset) denotes that Slack, which is related to a particular file.
Block-oriented mass storage devices such as hard drives, etc., data set generally in 512-byte sectors from. The Microsoft file systems group while one or more sectors into clusters as the smallest writable data unit. The default cluster size of the New Technology File System depends on the partition size and is for partitions larger than 2 GB is generally 4096 bytes.
If a file of 1 byte size on an NTFS partition with a cluster size of 4096 bytes is stored in an extreme case, is the file on the hard disk, a whole cluster, ie the file has a File - Slack of 4095 bytes.
The term Ram Slack should really be called sector - Slack, as it describes the area from the end of a file to the end of the current sector. His name is Ram - Slack, because Microsoft operating systems have stored up to and including Windows 95A in this area random data from memory. In much of the literature on forensics is stated that this is still true for today's operating systems, it is, however, both by Brian Carrier, author of the frequently used in computer forensics SleuthKits, as well as by Steve Bunting, an experienced investigator, instructor and author some books on forensics, expressly denied.
Drive- Slack
The much more interesting part of the File Slack is the Drive- Slack. It is within sectors of the last cluster of a file that have not been described and is therefore not overwritten. In these areas, be removed with suitable tools plaintext data from fragments of previously existing files on the partition read, thus these areas receive in a forensic investigation special attention.
MFT Slack
Due to some peculiarities of the Microsoft NTFS file system, in which, for each directory entry 1024 bytes are reserved, but only 42 bytes are used for them, can remain still enough space in the last 982 bytes to store a small file there. If this file is deleted, the storage area is not overwritten and possibly may still contain residues that are worth analyzing.
Partition - Slack
Partition Slack is also an offset, which however does not come on hard drives when saving files, but when creating partitions. Partition Slack refers to the area from the end of a partition on a physical disk to the beginning of the next partition or end of the physical disk. If you already have other file systems were created on the disk before, then you can in these areas under favorable circumstances, remnants of old files are found, which may be in the forensic analysis of meaning.