Clusters are the smallest amount of disk space or allocation units on storage media, which store data. When formatting drives, we need to define the size of these allocation units, or we can use the default cluster size of 4 Kilobytes.  This is where Slack space comes in.

Slack space is the empty and unused space within clusters that contain data, but are not completely filled with data. To fully understand this, we first need to understand default cluster sizes specified by operating systems. A drive formatted using NTFS (for Windows) has a default cluster size or 4 KB. Let's say that you've saved a text file to your disk with a file size of 3 KB. This means that you still have 1 KB of unused or slack space within that cluster.

Slack space is of particular interest to a forensic investigator as data can be easily hidden in slack space. Luckily for us, we have several tools available, such as Sleuth Kit and Autopsy, within Kali Linux, to help investigate slack space and find hidden files.