Slack_handler is a python tool for extracting File slacks in raw format and writing their details to a CSV file.

The File slacks considered are both RAM and DISK file slacks which represent the data between the none multiple size of the file and the allocated size in clusters. No volume slack is considered.

• A presentation is available on Youtube (~17min).
• A description article is available on IEEE Xplore.

Implemented so far:

• extract all file slacks from raw or ewf disk image to a directory.
• display file slacks in LATIN-1 or Hex encoding to the console/terminal.
• pretty print all found file slack data in the provided disk image.
• Write-out File slacks details to a CSV file including: the original file, the file slack size, the parent directories, MD5 and SHA1 hashes, etc.
• Support for 'RAW' disk images.
• Support for 'EWF' disk images.
• Add CI using Github action.
• Add a helper function for MD5_calc and SHA1_calc in 'utils' module for factoring the code.
• Add EWF disk image to test_data.
• add more tests 'test__file_slack_nbr' and computed MD5 hashs.
• fix shenanigans of compressed files.
• add more tests 'test__file_slack_content' (inspection at binary level).
• add a test case for no_file_slack file.
• Add relative/absolute location details to CSV report file.
• cache and optimize Github actions.
• Add support for disk images in AFF formats.
• Optimize the way it locates the File slack space.
• Simulate user behaviors in test disk images using a Bash script.
• Generate more disk images for validation.
• add XML description file of each disk image using fiwalk or fls.
• package everything.

• Create a Virtual environment
• Download the latest release
• Clone pytsk repository
• update the repo (get libtsk) python setup.py update
• build (libtsk) python setup.py build
• install (which will install pytsk bindings) python setup.py ìnstall
• pip list now you should see pytsk installed if everything is ok!
• clone pyewf repository
• ./synclibs.sh : Script that synchronizes the local library dependencies
• ./autogen.sh
• ./configure --enable-python
• python setup.py build
• python setup.py install

For further details, please check the steps of the job Build used in Github actions process.

The tool is hosted on Pypi

• pip3 install slack-handler
• slack_handler --version

To dump all File slacks to 'slacks/' folder and extract all the information to CSV format file named 'report.csv' from a raw image 'USB-NTFS.dd' :

slack_handler --type raw --dump slacks/ --csv report.csv images/USB-NTFS.dd

Help:

usage: slack_handler [-h] [-e ENCODING] -t TYPE [-p] [-d DUMP] [-c CSV] [-v] [--version] disk image

Extract the file slack spaces.

positional arguments:
  disk image

optional arguments:
  -h, --help            show this help message and exit
  -e ENCODING, --encoding ENCODING
                        Display slack space in LATIN-1 or Hex. Supported options 'latin-1', 'hex'.
  -t TYPE, --type TYPE  Type of the disk image. Currently supported options 'raw' and 'ewf'.
  -p, --pprint          Pretty print all found file slack spaces.
  -d DUMP, --dump DUMP  Dump file slack spaces of each file in raw format to a directory if specified, by default temporary dir.
  -c CSV, --csv CSV     Write file slacks information to a CSV file.
  -v, --verbose         Control the verbosity of the output.
  --version             show program's version number and exit

Feel free to read the file LICENSE.

• Original version Date: 13/06/2012 by Sokratis Vidros [email protected]
• Current updated version: 0.1 since 25/10/2020 by ALJI Mohamed [email protected]

• Joachim Metz for providing an initial feedback on the little tool related to the different types of disk slack space and the licensing.
• David Cowen for the awesome serie of "How-to on programming using libtsk and python".
• Any feedback is a welcome via Github issues or reach out via The Open Source DFIR Slack community using the registration link.