First, I apologize for the delay in updating the blog. It has been two months since my last post, it seems like it has gone by so fast. Since my last post I have essentially circumnavigated the world working on various projects from Bangkok to the US to South America to Malaysia and back to Bangkok.
One of the recent topics that came up that I felt was worth sharing was a forensic analysis of a computer using Deep Freeze.
Deep Freeze is a tool produced by Faronics that is used by many organizations to maintain a installation of Windows at a defined state. It is also commonly used by Internet cafes and other public Internet locations to help protect privacy. If you are unfamiliar with it, it basically takes a "snapshot of the hard drive(s) and then lets the user install, create, change or modify the system at will, but then when the system is rebooted, it goes back to its original "state".
One of the recent topics that came up that I felt was worth sharing was a forensic analysis of a computer using Deep Freeze.Deep Freeze is a tool produced by Faronics that is used by many organizations to maintain a installation of Windows at a defined state. It is also commonly used by Internet cafes and other public Internet locations to help protect privacy. If you are unfamiliar with it, it basically takes a "snapshot of the hard drive(s) and then lets the user install, create, change or modify the system at will, but then when the system is rebooted, it goes back to its original "state".
- Data that is created during the "frozen" state obviously becomes fragile after a reboot since the data is now stored in unallocated like any other type of deleted data. Quick seizure and review is key to recovering the most possible amount of information after the system has been rebooted, but like all data that gets deleted, it depends on the amount of usage after the reboot.
For a really interesting perspective, view a live machine that is running Deep Freeze using a forensic tool that can view the logical device and also the physical device and compare some sectors in unallocated.
One of the the easiest "recovery" solutions that comes to mind when dealing with a drive utilizing Deep Freeze, would be to use an EnScript (you didn't think you were going to get through this post with me using that word did you??) to parse out all the MFT records in unallocated. Then, get the data runs from the MFT record and piece the files back together. You could even correlate each cluster as you are rebuilding to see if it is currently allocated to indicate if part of the file had been overwritten in certain areas.
Good luck.
