Slack space data
Subversive Technologies & Countermeasures
| |||||||||||
A file system uses specifically sized containers to store files in chunks of data known as blocks on Linux/Unix systems, and clusters on Windows systems. These containers are the smallest pieces of data that a file system can use to store information. Files can consist of a single or multiple blocks/clusters in order to fulfill the size requirements of the file. When data is stored in these containers two mutually exclusive conditions can occur; The container is completely full, or the container is partially full. If the container is completely full then the most optimal situation for the file system has occurred. If the container is only partially full then the area between the end of the file the end of the container is referred to as slack space.
Contents |
[edit] Dealing with slack space
Using a 4K block/cluster as an example you can see creating a 1k file would leave 3k of slack space containing whatever data existed in that location before the file was created.
Single 4K block/cluster
| 1k file | 3k slack space |
|---|
Multiple files could also exist inside a single block/cluster and still leave slack space.
Single 4K block/cluster
| 1k file | 1k file | 2k slack space |
|---|
If a 4K block/cluster contained a file of equal size then their would be no remaining slack space.
Single 4K block/cluster
| 4k file |
|---|
Multiple files could also exit inside a single block/cluster leaving no slack space.
Single 4K block/cluster
| 1k file | 1k file | 2k file |
|---|
More often then not when a files use more then one contiguous block/cluster the final container will have slack space.
Two contiguous 4K block/cluster
| 6k | file | 2k slack space |
|---|
Can I just get rid of slack space? No, it is a function of file systems and data being of variable sizes will never fit neatly into a generic container.
Slack space is not free space. Free space is unrecoverd blocks/clusters that have been marked as available for usages in the file table index. Slack space is considered already in use by the file system and only available by expanding the file size of the file the occupies that block/cluster.
Slack space could be used to hide data or tools.
[edit] Recovering data from slack space
If the data that used to occupy a block/cluster is replaced with data that is less than the size of the block/cluster it will leave the trailing bits intact. These left over bits can then be recovered with software that reads the entire block/cluster.
[edit] Storing data in slack space
Slack space can be used to store stealth data without the underlining file systems knowledge of it directly. If one makes a small file the rest of the cluster/block can be used reliably to store hidden data. This data will be invisible to the file system and remain intact as long as the size of the file is not altered. Creating new files that would leave slack space is not the most stealthy way to hide data.
Some possible pre-existing files that would yield high slack space:
- Temporary files; Not the most stable files but usually high yields of small files for short term usage.
- Browsers usually contain large amounts of small files.
Contiguous cluster would only leave slack space on the final cluster witch most likely would not contain the exact amount of data as the cluster size. Non-contiguous file allocation would leave more trailing clusters leaving more slack space.
Alternate methods of hiding data in the file system can be achieved on Windows using alternate data streams.
[edit] Cleaning slack space
- On a Windows system there are many programs that advertise to wipe slack space with file deletion in real time.
- On a Linux system a simple method would be to dd if=/dev/zero the file or partition in question.
- bmap is a tool for linux that can insert, remove, or wipe slackspace.
[edit] File Systems
Different file systems will determine optimal block/cluster size using factors such as disk size, or how the file system is to be utilized.
[edit] Linux block sizes
- Ext2 file system typically uses 1024, 2048 and 4096 bytes block sizes.
[edit] Windows cluster sizes
The following table shows the default values that Windows XP uses for NTFS formatting:
Drive size (logical volume) Cluster size Sectors ---------------------------------------------------------- 512 MB or less 512 bytes 1 513 MB - 1,024 MB (1 GB) 1,024 bytes (1 KB) 2 1,025 MB - 2,048 MB (2 GB) 2,048 bytes (2 KB) 4 2,049 MB and larger 4,096 bytes (4 KB) 8
The FAT file system uses the following cluster sizes. These sizes apply to any operating system that supports FAT:
Drive size
(logical volume) FAT type Sectors Cluster size
-----------------------------------------------------------------------
15 MB or less 12-bit 8 4 KB
16 MB - 127 MB 16-bit 4 2 KB
128 MB - 255 MB 16-bit 8 4 KB
256 MB - 511 MB 16-bit 16 8 KB
512 MB - 1,023 MB 16-bit 32 16 KB
1,024 MB - 2,048 MB 16-bit 64 32 KB
2,048 MB - 4,096 MB 16-bit 128 64 KB
*4,096 MB - 8,192 MB 16-bit 256 128 KB Windows NT 4.0 only
*8,192 MB - 16384 MB 16-bit 512 256 KB Windows NT 4.0 only
The following is a table of logical drive sizes, FAT (File Allocation Table) types, and cluster sizes (Floppy Disks):
Drive Size FAT Type Sectors Cluster (logical volume) Per Cluster Size ---------------- -------- ----------- ------- 360K 12-bit 2 1K 720K 12-bit 2 1K 1.2 MB 12-bit 1 512 bytes 1.44 MB 12-bit 1 512 bytes 2.88 MB 12-bit 2 1K
