Go to Top

Slack space, or the devil is in the details

When I told you in my previous email that the only way to successfully erase a file is to COMPLETELY overwrite it, I wasn’t just trying to be dramatic. A few months ago, my friend had mistakenly deleted some photos from her SD card, so I encouraged her to try out some data recovery software. She was very surprised to find not only the pictures that she’d deleted, but also some very old ones — including her parents’ holiday pictures from when they used the SD card with their own camera.

I mentioned before that when a file is deleted, the physical slot in which it is stored becomes free, and new data can be saved there. So it might be tempting to leave things to run their course and wait for the file to be overwritten by another. Don’t give in to that temptation — waiting is not enough. Here’s why:

  • It might take a lot of time — especially if your drive has a lot of storage
  • You will never have full certainty of where your data physically exists, so you won’t know if a sensitive file that you’ve deleted doesn’t still exist somewhere as a partial copy or a trace
  • If you’re planning to sell your used equipment or your company’s old machines, you won’t have time to wait until all sensitive data has been overwritten
  • Some sectors of your disc drive get damaged as you use them (their locations on the disk are mapped in a place called the G-list), and they become unwritable — as I mentioned before, the same principle goes for all flash memory drives. Naturally, you can’t overwrite data within an unwritable sector, but that doesn’t mean that you can’t read it — all you need is the right software
  • Waiting for your files to become naturally overwritten creates so-called slack spaces. According to the data recovery experts at Kroll Ontrack, almost 45% of data that can be read from a disk drive is data that exists within thoseslack spaces

What are slack spaces?

“The files on your hard drive are organised into clusters. Their sizes vary depending on the file system you use — for example, in NTFS clusters are usually 4kB. Each cluster can only belong to one file (but a file can utilise as many clusters as it needs). So if a file is 12kB, it will be stored in three clusters, and each of those clusters will be completely written with its data. If you then delete that file, and a new file of 9kB overwrites it, that file will also spread out over three clusters, but the third one of those will only have 1kB of its data overwritten. The remaining 3kB will create a slack space, which is a string of data from a previous file that hasn’t been overwritten and that still physically exists on the disc (and because the entire cluster is reserved for the new file, this data will not be overwritten for as long as this new file exists)”.

And so slack spaces create free disk space where traces of data about old user files continue to exist.

IMPORTANT: Data stored within slack spaces could be used to recover your logins and passwords, parts of your files, communications (for example your instant messenger archives) and many other traces that could lead to more interesting information about you. All it takes is a little know-how, some experience and the right tools (many of which are actually quite easy to use).

As you can see, it makes a lot of sense that the data security pros don’t just leave things be while crossing their fingers. Instead, they use their considerable arsenal of tools to take care of their data problems. Some of those tools are quite high calibre.

You’ll find out more about that next time.

See you soon!

P.S. As usual, any questions, doubts or comments about this series can be shared in the comment box below.

, , , , , , , , ,

Leave a Reply