Craig Ball Says That Unless it’s Proportional, Take Up the Slack: eDiscovery Best Practices

Or is it cut yourself some slack?  When it comes to slack space, Craig says it just may not be worth it to search much anymore.

In his latest post on his Ball in Your Court blog (Don’t Bet the Farm on Slack Space), Craig asks the question how often it makes sense to search slack nowadays. 

So, what is slack space and why should you care?  As Craig defines it (or reminds us if we already knew it):

“Slack space is the area between the end of a stored file and the end of its concluding cluster: the difference between a file’s logical and physical size. It’s wasted space from the standpoint of the computer’s file system, but it has forensic significance by virtue of its potential to hold remnants of data previously stored there.”  But, “[s]lack space is often confused with unallocated clusters or free space, terms describing areas of a drive not currently used for file storage (i.e., not allocated to a file) but which retain previously stored, deleted files.”

Data recovered (the process of which is known as “carving”) from unallocated clusters of free space can be quite large, potentially spanning thousands of clusters.  But, “data recovered from a stored file’s slack space can never be larger than one cluster minus one byte.”  Also, “unallocated clusters often retain a deleted file’s binary header signature serving to identify the file type and reveal the proper way to decode the data, whereas binary header signatures in slack space are typically overwritten.”

Craig also notes that slack space “can be a real mess” in that it can hold the remnants of multiple deleted files.  Not only that much of the data stored on media today is compressed in Zip-compressed XML formats.  And, “the parts of the Zip file required to decompress the snippet has likely been obliterated”.  Not to mention, the storage hardware drives “are routinely encrypted, and some encryption methods make it difficult or impossible to explore the contents of file slack.”

So, before an expert characterizes it as essential or a requesting party offers it as primary justification for an independent forensic examination, Craig said he would “urge the parties and the Court to weigh cost versus benefit; that is, undertake a proportionality analysis in the argot of electronic discovery.  Where searching slack space was once a go-to for forensic examination, it’s an also-ran now.”  In other words, “don’t bet the farm on finding the smoking gun.”

As usual, Craig raises an interesting point while educating his audience on why you should care about the issue in the first place.

So, what do you think?  Do you have many cases which call for forensic examination?  If so, are you finding useful evidence in slack space?   Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

5 comments

  1. Thanks for the shout out, Doug. Always a privilege to be picked up by your blog.

    I anticipated push back from examiners saying, “hogwash, data found in slack is still crucial evidence,” although I expected any anecdotal challenges would apply to old OS’es/machines or describe events from years ago. Yet, when I ran my observations by a group of forensics colleagues, they said they’d seen much the same phenomena re: file slack space. Slack’s cousin, unallocated clusters still yield a lot on electromagnetic drives; so, I hope no one misses the narrowness of my point. Digital forensics reveals more than ever before, just not via slack space search.

    Another clarification might be useful respecting encryption. The most common forms of full disk encryption aren’t a particular problem for slack data, so long as you have the credentials to decrypt. The existential peril to disk forensics is load leveling on solid state drives, which devices are finally displacing conventional spinning drives in a major way.

    Another nail in the coffin I didn’t discuss is the inexorable shift to Cloud storage and SaaS. If you’re not storing as much on a local disk, you’re not deleting as much data nor leaving as many artifacts in slack or unallocated space. It’s not a catastrophic loss, because often data caches on the disk; but we must shift our focus and temper expectations every year as computing returns to the primordial client-server model. Thanks again for letting me get my geek on here.

  2. Thank you, Craig! I’ll be interested to see if we get ant forensic examiners to comment here and I’ll certainly be looking to see what they have to say on your blog post as well!

  3. I actually cannot recall a matter during the course of 20 years at law firms in which any useful ESI was found in slack space. We used to collect it a lot. Not so much anymore, I think. Great commentary on a great post by Counselor Ball. I get asked a lot nowadays about solid state drives. Maybe you or Craig could do a deeper dive on this newer-ish storage medium?

  4. Great idea, Mike! We’re certainly seeing more and more of those as prices come down and, as Craig noted, they may eventually do away with slack space discovery altogether. Someday. Maybe.

  5. The paradigm-changing issue with SSD forensic analysis versus conventional magnetic hard drives is the relentless movement of data by wear leveling protocols and a fundamentally different data storage mechanism. Solid state cells have a finite life measured in the number of write-rewrite cycles.

    To extend their useful life, solid state drives move data around to insure that all cells are written with roughly equal frequency. This is called “wear leveling,” and it works. A consequence of load leveling is that unallocated cells are constantly being overwritten, so SSDs do not retain deleted data as electromagnetic drives do. Wear leveling i(and the requisite remapping of data) is handled by an SSD drive’s onboard electronics and isn’t something users or the operating system control or access.

    Another technology, an ATA command called TRIM, is controllable by the operating system and serves to optimize drive performance by disposing of the contents of storage cell groups called “pages” that are no longer in use. Oversimplified, it’s faster to write to an empty memory page than to initiate an erasure first; so, TRIM speeds the write process by clearing contents before they are needed, in contrast to an electromagnetic hard drive which overwrites clusters without need to clear contents beforehand.

    The upshot is that resurrecting deleted files by identifying their binary file signatures and “carving” their remnant contents from unallocated clusters isn’t feasible on SSD media. Don’t confuse this with forensically-sound preservation and collection. You can still image a solid state drive, but you’re not going to get unallocated clusters. Too, you won’t be interfacing with the physical media grabbing a bitstream image. Everything is mediated by the drive electronics.

Leave a Reply