Quantifying Windows File Slack Size and Stability

• Published in: Advances in Digital Forensics IX pp. 183 - 193
• Main Authors: Mulazzani, Martin, Neuner, Sebastian, Kieseberg, Peter, Huber, Markus, Schrittwieser, Sebastian, Weippl, Edgar
• Format: Book Chapter
• Language: English
• Published: Berlin, Heidelberg Springer Berlin Heidelberg 2013
• Series: IFIP Advances in Information and Communication Technology
• Subjects: data hiding; file slack space; Forensic analysis; Windows systems
• ISBN: 3642411479; 9783642411472
• ISSN: 1868-4238; 1868-422X
• DOI: 10.1007/978-3-642-41148-9_13

Slack space can be used to hide data from the operating system and other users. While some forms of data hiding are easily detectable, others are subtle and require an experienced forensic practitioner to discover the hidden data. The amount of data that can be hidden varies with the type of slack space and environmental parameters such as filesystem block size and partition alignment. This paper evaluates the amount of file slack space available in Windows systems and the stability of slack space over time with respect to system updates. Measurements of the file slack for eighteen versions of Microsoft Windows with the NTFS filesystem reveal that many of the files change very little during system updates and are, thus, highly suitable for hiding data. A model is presented for estimating the amount of data that can be hidden in the file slack space of Windows filesystems of arbitrary size.