Skip to Main content Skip to Navigation
Conference papers

Quantifying Windows File Slack Size and Stability

Abstract : Slack space can be used to hide data from the operating system and other users. While some forms of data hiding are easily detectable, others are subtle and require an experienced forensic practitioner to discover the hidden data. The amount of data that can be hidden varies with the type of slack space and environmental parameters such as filesystem block size and partition alignment. This paper evaluates the amount of file slack space available in Windows systems and the stability of slack space over time with respect to system updates. Measurements of the file slack for eighteen versions of Microsoft Windows with the NTFS filesystem reveal that many of the files change very little during system updates and are, thus, highly suitable for hiding data. A model is presented for estimating the amount of data that can be hidden in the file slack space of Windows filesystems of arbitrary size.
Document type :
Conference papers
Complete list of metadata

Cited literature [12 references]  Display  Hide  Download
Contributor : Hal Ifip Connect in order to contact the contributor
Submitted on : Tuesday, February 7, 2017 - 5:25:48 PM
Last modification on : Wednesday, October 13, 2021 - 7:58:04 PM
Long-term archiving on: : Monday, May 8, 2017 - 2:56:45 PM


Files produced by the author(s)


Distributed under a Creative Commons Attribution 4.0 International License



Martin Mulazzani, Sebastian Neuner, Peter Kieseberg, Markus Huber, Sebastian Schrittwieser, et al.. Quantifying Windows File Slack Size and Stability. 9th International Conference on Digital Forensics (DF), Jan 2013, Orlando, FL, United States. pp.183-193, ⟨10.1007/978-3-642-41148-9_13⟩. ⟨hal-01460605⟩



Record views


Files downloads