[sleuthkit-users] Drive slack
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] Drive slack
|
From: Sergio W. <ser...@gm...> - 2013-10-21 23:30:48
|
I have been trying to understand the concept of drive slack and how some applications wipe this space. In order to do this, I have created a small hard disk with a NTFS filesystem inside a virtual machime with Windows 7. Then I have added a simple JPG file to this hard disk. After that, I have edited the last sector of the last cluster of such file (which it is not the last sector used by the file), and added a simple word "DRIVESLACK" to this last sector. Then, I have used the CCleaner application and activated the "Wipe Cluster Tips" which supposly, remove the drive slack space. After that, If I have performed a blkcat of the last cluster of the file, and I observed how the DRIVESLACK remains in the last sector of the last cluster of the jpg file. Is there something that I have missed, or why the DRIVELSACK is not overwritten by the CCleaner application? |
