Authors: Jan-Niclas Hilgert, Anton Schwietert
DFRWS USA 2026
Abstract
File slack space has long been regarded as a potential source of residual data in digital forensic investigations. While prior work has established that slack exists in meaningful quantities on production systems and can be exploited for data hiding, the question of whether modern filesystems’ own operations actually produce residual data in slack regions has not been systematically examined across today’s diverse filesystem and operating system landscape. This paper presents a cross-platform empirical study of file slack space behavior across 12 filesystem implementations on Linux, macOS, and Windows. Through controlled detection and persistence experiments we examine whether residual data occurs in slack space and whether it survives common filesystem operations. Under these controlled conditions, the default filesystems of all three major platforms (NTFS, APFS, ext4) consistently cleared both RAM slack and drive slack during file creation and modification. Beyond these defaults, behavior diverged substantially: FAT-based filesystems preserved drive slack, Copy-on-Write filesystems introduced “ghost slack” through block relocation, and the same filesystem specification yielded different slack behavior across operating systems and driver implementations. These findings demonstrate that slack space behavior is governed by the interplay of filesystem type, operating system, and driver implementation, and that its forensic value must be assessed on a per-configuration basis rather than assumed. We release our experimentation framework as open-source to support reproducibility.