Slack space can exist when a file's size is not a multiple of the file system's cluster size. As a little refresher, a sector is the smallest amount of data that a hard drive can read or write at one; in many cases, this is 512 bytes. A cluster, which can be made up of multiple sectors, is the unit of disk space allocation, and each file is allocated one or more clusters. In the diagram below, each cluster has four sectors; if each sector is 512 bytes, then each cluster is 2048 bytes in size. The file system will only allocate full clusters to files, even if the file will not use the entire cluster. This space at the end of the cluster that is allocated to the file but not used is what is known as slack space or file slack.

Diagram of Slack Space

In the figure above, the gray area represents a file that is 2700 bytes in length. Since the file system cannot give the file half a cluster, it has allocated two full clusters to the file, for a total of 4096 bytes, even though the file is much smaller than that. This means that eight sectors have been given to the file; sectors 1-5 have been used completely, sector 6 has been used partially, and sectors 7 and 8 are not used by the file at all. This means that part of sector 6 and all of sectors 7 and 8 are slack space, and potentially useful to an investigator.


However, the unused portion of sector 6 is a different type of slack space than sectors 7 and 8. As mentioned earlier, a sector is the smallest amount of data that a hard drive can read or write. Even though the file only uses 140 bytes of sector 6, the hard drive cannot just write those first 140 bytes; it must write data to the complete 512 bytes. It is up to the operating system to decide what to write to the remaining bytes in the sector. Most OSes write zeros to the remaining bytes, but some older OSes wrote data from memory in the unused bytes, which could potentially contain passwords or other interesting bits of data.

Depending on the OS, sectors 7 and 8 may be wiped or overwritten in a similar fashion as sector 6, or may be left alone and not be modified by the disk as it writes the file. If this is the case, these sectors will continue to contain data from whatever file was allocated to them previously.

It should be noted that both these types of slack space are technically allocated by the file system, just not used. Therefore, if an investigator were to simply search all the unallocated space on a drive, he or she could potentially miss valuable evidence if it resided inside the slack space at the end of allocated files.

As a quick aside, this post is an excerpt from an independent study semester from my time in undergrad. It is rather dated by this point, but hopefully might still be useful to some.