Autopsy: Find Data in File Slack Space

TL;DR

This guide shows you how to use Autopsy to find hidden data within the unallocated space (slack space) of a file. This is useful for digital forensics investigations where deleted or partially overwritten files might contain valuable information.

Steps

1. Open the Case: If you haven’t already, open your Autopsy case containing the disk image or drive you want to investigate.
2. Navigate to the File: In the Autopsy file tree view (usually on the left), find the specific file you suspect contains hidden data in its slack space. Right-click on the file and select ‘Open’.
3. Access Hex View: Once the file is open, go to the ‘Hex’ tab at the bottom of the Autopsy window. This shows the raw bytes of the file.
4. Identify Slack Space Regions: The slack space appears as areas after the last valid byte of the file data. It can be tricky to spot visually. Look for patterns that don’t resemble typical file content or zero-filled regions.
   • Autopsy doesn’t automatically highlight slack space; you need to identify it based on file size and structure.
   • Files are often padded to cluster boundaries, so the slack space is usually a multiple of the disk’s allocation unit (cluster) size. You can find this information in ‘Ingest > Disk Image’ under ‘Partition Information’.
5. Use Keyword Search: A more effective method is to use Autopsy’s keyword search.
   1. Go to the ‘Keyword Search’ tab.
   2. Add keywords you are looking for (e.g., usernames, email addresses, specific phrases).
   3. In the ‘Search Scope’ section, select ‘File(s)’ and choose the file you’re investigating. Crucially, check the box labelled ‘Include unallocated space’.
   4. Click ‘Start Search’.
6. Review Keyword Hits: Autopsy will display any keyword hits found within the file’s slack space.
   • Double-click on a hit to jump directly to that location in the Hex view.
   • Examine the surrounding data to understand the context of the hit.
7. Carve Files (Optional): If you suspect complete files are hidden within the slack space, use Autopsy’s file carving feature.
   1. Go to ‘File Carving’.
   2. Select the file.
   3. Choose appropriate carving options based on expected file types. Start with common types like JPEG, PDF, DOCX etc.
   4. Click ‘Carve Files’. Autopsy will attempt to extract any embedded files from the unallocated space.
8. Export Data: Once you’ve identified and reviewed relevant data, export it for further analysis.
   • Right-click on the file or specific hits in the Hex view.
   • Select ‘Export’.
   • Choose an appropriate export format (e.g., raw bytes, HTML report).

Important Considerations

• Disk Allocation Unit Size: Knowing the disk’s allocation unit size is critical for identifying slack space boundaries.
• File System Type: Different file systems handle slack space differently. Autopsy generally works well with common types like NTFS, FAT32, and EXT4.
• Data Fragmentation: Slack space data may be fragmented across the disk, making complete recovery difficult.