To start the computer forensic session there are some things you need to understand one of them is the understanding about file system. Why? Because computer forensics is not separated from the file system and the file system. The file system located on the hardrive (storage device). In the hard drive (storage devvice) we often hear the term slack space. What is the meaning of "SLACK SPACE"?.
SLACK SPACE is the unused space between the end of the actual file and the end of the the defined data unit (cluster) or a remnant of data that exists within a sector of data that has been overwritten. Specifically, slack space is the area of the sector that was not fully overwritten by a recent write to disk. Or each file always starts at the beginning of a cluster because this simplifies organization and makes it easier to grow files. Any space left over between the last byte of the file and the first byte of the next cluster is a form of internal fragmentation called file slack, slack space, or cluster overhang. for example, if you wrote 3K of data to a 64K sector, the remaining 61K of data would not be reused. Instead, this unused sector space would still contain whatever data was written to it previously.
So "Slack space is a very important source of evidence in computer forensic investigation"
0 comments:
Post a Comment