slack space question
Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: slack space question

  1. #1
    Senior Member
    Join Date
    Oct 2001
    Posts
    107

    slack space question

    I recently learned that the slck space on your drive is filled up with data from the keyboard buffer. I am curious how to access this and what is the point of encrypting the hard drive if your pass phrase and such can be accessed anyway? Thank you for your time and help.

  2. #2
    Old-Fogey:Addicts founder Terr's Avatar
    Join Date
    Aug 2001
    Location
    Seattle, WA
    Posts
    2,007
    Wha? Slack space on the hard drive with data from the keyboard buffer? Do you mean free space on the drive, or the windows swap file, or what? Could you be more specific?
    [HvC]Terr: L33T Technical Proficiency

  3. #3
    Senior Member linuxcomando's Avatar
    Join Date
    Sep 2001
    Posts
    432
    I belive what you are talking about is is called a key catcher. Its a device that plugs into the back of your keyboard and logs all keystrokes up to 65000 i belive and then lets you go to wordpad and enter in a password/phrase and shows you all the keystrokes. You have to remember that physical security is just a good as network security.
    I toor\'d YOU!

  4. #4
    Senior Member
    Join Date
    Oct 2001
    Posts
    107
    Sorry, I'll be more specific. I am reading this book and it claims this: If you save a 3k file into a 4k cluster, the remaining space (slack space) of 1k is filled with the keyboard buffer. Therefore your pass phrase could be recovered in this space. Is this true or have I been lied to?

  5. #5
    AO Curmudgeon rcgreen's Avatar
    Join Date
    Nov 2001
    Posts
    2,716

    Thumbs up

    I don't believe that any particular data are
    automatically written into slack space,
    although I can imagine how some special
    software could be written that could
    access this space in a bootleg fashion.

    Slack space is generally full of random
    crap, fragments of deleted files.

    In the case of the slack space in the virtual
    memory (swap) file, any random data that
    have been in memory might find its way onto
    the disk, but not in an organized fashion.

    Slack space is one of the unpredictable
    characteristics of disk storage.

    Consider this scenario:
    You write a short virus, for whatever reason.
    Then you copy it, or upload it to a server.
    You think you are anonymous.
    Later, when people get copies of this virus
    from infected systems, there is a chance
    that they will find extra data that have "hitchiked"
    from your slack space

    You're busted!
    I came in to the world with nothing. I still have most of it.

  6. #6
    Old-Fogey:Addicts founder Terr's Avatar
    Join Date
    Aug 2001
    Location
    Seattle, WA
    Posts
    2,007
    I see what you mean now. Yes, there is slack space, but AFAIK it is usually only full of leftover files. It's sort of like having a lined paper full of writing. You take off the title of the paper (deleting it) and then white-out/write over the first part of it until you are done. The rest of the paper still shows through, but it is a fragment, and most non-forensic programs ignore the 'leftovers'.

    I'm not aware of cases where keyboard information is written to disk on a regular basis by accident.
    [HvC]Terr: L33T Technical Proficiency

  7. #7
    Senior Member
    Join Date
    Jan 2002
    Posts
    187
    memory in your hdd is divided into partitions, and partitions are devided into clusters. if you begin writing to a cluster but don't fill it, the rest of the unused space in that cluster is called the slack space. older versions of ms-dos use 32k clusters, windows uses 4k clusters.

    so anyway, most operating systems store what you type into a keyboard buffer. so if a word processor or text editor to write something, what you have written is most likely temporarly put into a keyboard buffer. so when you close the file, the operating system cleans out the buffer by dumping whats in it into the slack space of the last used cluster. it'll only fill up the cluster though, it won't start a new one, so if they contents are too large for the slack space, i believe it just gets marked as overflow.

    so yes it is possible to recover text, passwords, whatever, by looking through slack space in clusters. it's very time consuming when you think about how big your hdd is, and trying to search it one byte at a time. if you're reeeeeaally interested, you could find yourself a hex editor (or i could send you one), and you can make some files on a floppy disk, and check out the contents of that disk with the hex editor. you'd be surprised what you find.
    U suk at teh intuhnet1!!1!1one

  8. #8
    Senior Member cwk9's Avatar
    Join Date
    Feb 2002
    Posts
    1,211
    Do all os's do this or just certain ones?
    Its not software piracy. Iím just making multiple off site backups.

  9. #9
    Senior Member
    Join Date
    Jan 2002
    Posts
    187
    umm to be honest i don't know, i had network security class where i had to recover things from disks and slack space with hex editors and reconstruct fat tables, but we always used widows. i know that older ms-dos versions are worse b/c they have much larger clusters...windows uses smaller clusters to make more efficient use out of memory.

    all operating systems are going to have slack space with random garbage in there, i guess it depends on what the particular operating system does with it's keyboard buffers.
    U suk at teh intuhnet1!!1!1one

  10. #10
    Senior Member
    Join Date
    Apr 2002
    Posts
    242
    damn i get introduced myself into ****, i heard in chatrooms a while ago. Nice, topic "owen76"
    my pages: (great resources for everyone)
    geeksarecool.com resource for computers, hacking, virii, wutnot.
    thepillbox.net archive of logs and resource for laughter.
    --enjoy these pages, as they grow.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •