What term is used to describe the unused space at the end of the last cluster when a file is written to disk storage?

"File Slack" refers to the data between the last byte of the file and the end of the cluster. It usually contains whatever bit pattern the OS uses to represent unallocated memory.

"Drive Slack" refers to clusters that have been deallocated but not overwritten. It can also refer to unallocated space that no longer falls within a partition boundary.

"RAM Slack" -- I have never heard this term before. Googling this, all the resources I find seem to be quoting or deriving from a book titled "Cyber Forensics: A Field Manual For Collecting, Examining, and Preserving Evidence of Computer Crimes" by Albert J. Marcella, Jr. and Doug Menendez.

I read the chapter where the term is used. Even though it was copyrighted in 2010, it makes reference to the way DOS and Windows 95/98 did things. That hasn't been relevant for over a decade. I could be reading it out of context though. Either way, this book appears to be the source of the term.

Windows stores data on the disk in clusters. A cluster usually contains 8 sectors of 512 bytes each, so 4096 bytes or 4kiB.

This is correct in the case of legacy drives and 4K "advanced format" drives. The sector size is truly 4KB on 4K "native" drives, so there is a 1:1 correlation between sectors and clusters for those drives.

Large files get split over multiple clusters, when the remainder of a file does not fill an entire cluster, this remaining unused space at the end of the cluster is called "file slack".

Also correct.

Windows always writes 512 byte blocks at once, so the first only partially used sector must get filled up before being written to disk.

This is incorrect. Windows does not write in blocks; only clusters. It will write data at any arbitrary size, but they will be in multiples of the cluster size (usually 4KB). The only time Windows cares about sectors/blocks is when an LBA address must be calculated. The low-level disk driver does this, not the filesystem driver. It's actually very inefficient to do reads/writes in 512-byte chunks. It works against the drive's internal hardware caches. Doing a dd in Linux with a 512-byte blocksize will confirm this. It's an order of magnitude slower on both reads and writes.

For whatever reason, Windows decides to pick a random sequence from RAM to fill this sector.

Also incorrect. Windows will write whatever is in the buffer. Almost every application (including the filesystem driver) allocates fresh memory from the heap when writing to the output buffer. When an application allocates memory, it does so in pages, which are (guess what!) 4KB in size. Unallocated memory is usually represented by a repeating bit pattern (not 00 or FF), so that is what will be written to the end of the cluster if it's not full. In cases where the application's output buffer is a modified copy of its input buffer, the slack will contain whatever data the input buffer had in it.

The remaining unused sectors in the partially used cluster remain unchanged and keep the bytes they had before, which can be parts of a previously deleted file in this location. It's called drive slack.

Also incorrect. Windows will always do a full-cluster commit even if there's only 1 byte of changed data. It is true that deallocated clusters have whatever data was in them before. Windows does not bother with zeroing out deallocated clusters. But none of this takes place at the sector level.

4KB is a magic number. Memory pages are 4KB. I/O buffers are 4KB. Sectors are 4KB now. Even the drive's hardware is optimized for I/O requests that are 4KB (or some multiple thereof).

All modern operating systems work this way (Windows, Linux, and OS X). The only exceptions to the rules above are applications that have the disk open for raw access. They completely bypass the operating system's API calls for doing writes. You only see this with low-level recovery and forensic tools because such applications do not benefit from all of the optimizations you get with buffered I/O.

Homepage

Accessibility links

• Skip to content
• Accessibility Help

BBC Account

Notifications

• Home
• News
• Sport
• Weather
• iPlayer
• Sounds
• Bitesize
• CBeebies
• CBBC
• Food

• Home
• News
• Sport
• Reel
• Worklife
• Travel
• Future
• Culture
• TV
• Weather
• Sounds

More menu

Search Bitesize Search Bitesize

• Home
• News
• Sport
• Weather
• iPlayer
• Sounds
• Bitesize
• CBeebies
• CBBC
• Food

• Home
• News
• Sport
• Reel
• Worklife
• Travel
• Future
• Culture
• TV
• Weather
• Sounds

BITESIZE

• Home
• Learn
• Support
• Careers
• • My Bitesize

GCSE

Operating systems

An operating system is software that manages computer hardware and software. It supplies an interface for the user and important utilities for managing the computer.

Part of

Computer Science

Software

• Revise

• quiz

  Test

1. previous

2. 1
3. 2
4. 3
5. 4
6. 5
7. 6
8. 7
9. Page 7of7

10. next

Utilities

The OS uses applications called utilities which allow the user to manage the computer. There are many different utility programs and they may vary across operating systems. They are often accessed via a special menu or control panel in the OS.

Maintenance utilities

These include:

• Backup - This allows the user to restore the system to a previous state which is saved as a backup. This is only usually used if a system malfunctions.
• Disk cleaner - The storage drive is divided into a number of clusters. The table of contents serves as an address book, keeping a record of each file and the clusters used to store that file. When a file is deleted, the address to the location on the disk is removed.
• Disk defragmentation - When files are deleted, unused clusters become available for reuse. These can end up being distributed across a drive, especially if the original files were small. If a large file is then written to a drive, its data could be spread across different clusters leading to file fragmentation. Defragmentation involves rearranging the information on a disk so that files appear in continuous sequences of clusters. This will improve file access times. Most modern operating systems run this process automatically.
• Formatting - Storage drives need to be formatted to be compatible with an OS. The OS usually formats storage media when it is connected to the computer. It is often the case that a storage drive cannot be compatible with both Windows and Mac OS X.

Security utilities

These include:

• user accounts - allow the user to allocate specific users and protects personal files and programs from unauthorised access.
• encryption - can encrypt data when it is stored, or whenever it is transmitted over a network.
• anti-virus software - detects and blocks viruses.
• firewall - can be used to filter between trusted and untrusted networks and prevent programs from communicating through the use of ports.

1. previous

2. 1
3. 2
4. 3
5. 4
6. 5
7. 6
8. 7
9. Page 7of7

10. next

Move on to Test

next

GCSE Subjects

1. Art and Design
2. Biology (Single Science)
3. Business
4. Chemistry (Single Science)
5. Combined Science
6. Computer Science
7. Design and Technology
8. Digital Technology (CCEA)
9. Drama
10. English Language
11. English Literature
12. French
13. Geography
14. German
15. History
16. Home Economics: Food and Nutrition (CCEA)
17. Hospitality (CCEA)
18. ICT
19. Irish – Learners (CCEA)
20. Journalism (CCEA)
21. Learning for Life and Work (CCEA)
22. Mandarin
23. Maths
24. Maths Numeracy (WJEC)
25. Media Studies
26. Modern Foreign Languages
27. Moving Image Arts (CCEA)
28. Music
29. Physical Education
30. Physics (Single Science)
31. PSHE and Citizenship
32. Religious Studies
33. Science
34. Sociology
35. Spanish
36. Welsh Second Language (WJEC)

What type of storage drive contains multiple spinning platters?

What file system supported by Windows can be used for volumes and drives that do not hold the Windows installation?

What is a user profile and what are the two general items it consists of?

What is a snapshot of the system setting and configuration called?