312-49 · Question #312
312-49 Question #312: Real Exam Question with Answer & Explanation
The correct answer is D: one who has lots of allocation units per block or cluster. File slack (also called slack space) is the unused space between the end of a file's actual data and the end of the last disk cluster allocated to it. The more allocation units (sectors) per cluster, the larger each cluster is, and therefore the more wasted space at the end of an
Question
In a forensic examination of hard drives for digital evidence, what type of user is most likely to have the most file slack to analyze?
Options
- Aone who has NTFS 4 or 5 partitions
- Bone who uses dynamic swap file capability
- Cone who uses hard disk writes on IRQ 13 and 21
- Done who has lots of allocation units per block or cluster
Explanation
File slack (also called slack space) is the unused space between the end of a file's actual data and the end of the last disk cluster allocated to it. The more allocation units (sectors) per cluster, the larger each cluster is, and therefore the more wasted space at the end of any file that does not perfectly fill its last cluster. A user with many large allocation units per block/cluster will consistently have more slack space per file, providing more forensic artifacts to analyze. NTFS itself does not inherently create more slack than FAT; it is cluster size that matters.
Topics
Community Discussion
No community discussion yet for this question.