Quantifying Windows File Slack Size and Stability

In digital forensics, different forms of slack space can be used to hide information from either the operating system or other users, or both. While some forms are easily detectable others are very subtle, and require an experienced forensic investigator to discover the hidden information. The exact amount of information that can be hidden varies with the form of slack space used, as well as environmental parameters like file system block size or partition alignment. While some methods for slack space can be used to hide arbitrary amounts of information, file slack has tighter constraints and was thought to be rather limited in space. In this paper we evaluate how much file slack space modern operating systems offer by default and how stable it is over time with special regards to system updates. In particular we measure the file slack for 18 different versions of Microsoft Windows using NTFS. We show that many files of the operating systems are rather static regarding system updates and do not change much on disk during updates, and are thus highly suitable for hiding information. We furthermore introduce a model for investigators to estimate the total amount of data that can be hidden in file slack for file systems of arbitrary size.