Slack Space

Milwaukee private investigator explains slack space using bottlesSince computers store information into sectors, and groups of sectors called clusters, it is rare that a file will fit perfectly into the amount of space it is given. The excess space between the end of the file and the unfilled portion of the file's cluster is called slack space. Slack space is considered allocated space by your computer, but does not contain any information about the current file.

Think of several bottles filled to different levels. Each bottle represents a file cluster, and the contents represent file data. The empty space in the bottle above the fill level represents slack space.

When you delete a file from your hard drive, your operating system marks the clusters containing the file as unallocated. This unallocated space is what shows up as “free space” when you check your hard drive’s capacity. However, the contents of the file itself are left intact until a new file overwrites the cluster.

New files may not completely overwrite the old file’s information, which will remain written in the slack space of the cluster. Digital forensic examiners can use a technique called file carving to partially recover deleted file remnants, hoping to piece together the assorted bits and bytes from the slack space into pertinent evidence.


