Get-ForensicFileSlack

SYNOPSIS

Gets the specified volume's slack space.

SYNTAX

ByIndex

Get-ForensicFileSlack [-VolumeName <String>] [[-Index] <Int32>]

ByPath

Get-ForensicFileSlack [-Path] <String>

DESCRIPTION

The Get-ForensicFileSlack cmdlet gets the specified volume's slack space as a byte array.

"Slack space" is the difference between the true size of a file's contents and the allocated size of a file on disk.

When NTFS stores data in a file, the data must be allocated in cluster-sized chunks (commonly 4096 bytes), which creates slack space.

Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.

EXAMPLES

Example 1

[ADMIN]: PS C:\> Get-ForensicFileSlack -VolumeName \\.\C: -Index 0

This command uses Get-ForensicFileSlack to get the slack space from the file that is MFT record index 0 on the C:\ logical volume.

Example 2

[ADMIN]: PS C:\> Get-ForensicFileSlack -Path C:\windows\notepad.exe

This command uses Get-ForensicFileSlack to return the slack space for Notepad.exe.

PARAMETERS

-Index

The index number of the file to return slack space for.

Type: Int32
Parameter Sets: ByIndex
Aliases: 

Required: False
Position: 0
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-Path

The path of the file to return slack space for.

Type: String
Parameter Sets: ByPath
Aliases: FullName

Required: True
Position: 0
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-VolumeName

Specifies the name of the volume or logical partition.

Enter the volume name in one of the following formats: \.\C:, C:, or C.

Type: String
Parameter Sets: ByIndex
Aliases: 

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

INPUTS

System.String

OUTPUTS

System.Byte[]

NOTES