Quantifying Windows File Slack in Size and Stability

M. Mulazzani, S. Neuner, S. Schrittwieser, E. Weippl, P. Kieseberg, M. Huber:
"Quantifying Windows File Slack in Size and Stability";
in:"Advances in Digital Forensics IX", Springer, 1, 2013, ISBN: 978-3-642-41147-2.

[ Publication Database ]


In digital forensics, different forms of slack space can be used to hide
information from either the operating system or other users, or both.
While some forms are easily detectable others are very subtle, and require
an experienced forensic investigator to discover the hidden information.
The exact amount of information that can be hidden varies
with the form of slack space used, as well as environmental parameters
like file system block size or partition alignment. While some methods
for slack space can be used to hide arbitrary amounts of information,
file slack has tighter constraints and was thought to be rather limited
in space.
In this paper we evaluate how much file slack space modern operating
systems offer by default and how stable it is over time with special
regards to system updates. In particular we measure the file slack
for 18 different versions of Microsoft Windows using NTFS. We show
that many files of the operating systems are rather static regarding system
updates and do not change much on disk during updates, and are
thus highly suitable for hiding information. We furthermore introduce
a model for investigators to estimate the total amount of data that can
be hidden in file slack for file systems of arbitrary size.