GetSlack - Forensic Data Capture Utility

Dod Tested and Certified!

From an investigative standpoint, file slack is a target rich environment to find leads and evidence. File slack can contain leads and evidence in the form of fragments of word processing communications, Internet E-mail communications, Internet chat room communications, Internet news group communications and Internet browsing activity. As a result, this program is a good tool for use in computer-related investigations. It also acts as a good validation tool for use with computer security programs which are designed to eliminate file slack, e.g., NTI's M-Sweep Pro ambient data scrubbing software. File slack is a significant source of computer security leakage. The program and its uses are described in Computer Forensics, Incident Response Essentials by Warren G. Kruse II and Jay G. Heiser, Cyber Crime Investigator's Field Guide by Bruce Middleton and Cybersecurity Operations Handbook by Dr. John W. Rittinghouse and Dr. William M. Hancock.

GetSlack Software - Primary Uses:

• Quickly calculates the amount of storage space which is allocated to file slack on a logical DOS/Windows partition.



• Captures all file slack on a logical DOS/Windows drive and converts it into one or more files automatically.



• Used in covert and overt internal audits, computer security reviews and computer investigations.



• Validates the results of computer security scrubbers used to eliminate sensitive or classified data from file slack on computer storage devices.

GetSlack Software - Program Features and Benefits:

• DOS-based for speed.



• No Software Dongle! - We know that software dongles get in the way and they restrict your ability to process several computers at the same time. That is why NTI does not use software dongles and our licensing of this software allows you to process multiple computers at the same time. NTI's goal is to make your life easier and this software was designed with ease of use in mind.



• Compact program size easily fits on a single floppy diskette with other forensic software tools.



• At the option of the user, non-printable characters (ASCII values 0-31 and 127-255) can be skipped. This feature is used when the tool is used to validate the results of a security scrubber used to eliminate data from file slack.



• Does not alter or modify the data stored on the target computer.



• Does not leave any trace of operation. Therefore, it can be used covertly when laws permit such use.



• Does not alter evidence on the target drive. Therefore, this tool is ideal for the processing of computer evidence.



• Compatible with DOS, Windows 3.x, Windows 95 and Windows 98.



• Estimates the output file space needed prior to use.



• Multiple logical storage devices can be specified in one operating session.



• Configures the output files to fit on one or more removable storage devices depending on the volume of the computed output.



• Supports 12-bit, 16-bit and 32-bit FAT types (32-bit FATs are currently found on Windows 95B/98/OSR2/NT).



• If insufficient space is available for writing the output file, the program will prompt for storage media to be switched.



• If 32-bit FAT (FAT32) file systems are to be used, Windows 95B or later must be running when GetSlack is executed.

The current release is version 1.7 and the GSA Product Number is GS1.7. U. S. Government clients should click here for information about GSA purchases.