Deep Freeze Forensics

Submitted by sdokurer on 23. August 2010 - 9:24
Printer-friendly versionPrinter-friendly version

In a computer I’ve been seizing, I’ve seen that “deep freeze” installed under “Program Files”. Going on the examination, I’ve noticed that the program neither run with registry nor start-up, run as a service. This mean; “deep freeze” is running on, each computer start-up.

Right away, I installed the deep freeze to a virtual computer, running OS WinXP and file system NTFS, already exist in my computer. I create a text file, named “try.txt”, written in “semih dokurer” content. When I restarted the virtual computer I saw that the file has gone.
The first examination on virtual computer with Encase, keyword search has found the MFT record of the file in the unallocated clusters. But the file is so small size, content of the file is located as a resident in the MFT record. But, the content of the file, “semih dokurer” has found another location in the unallocated clusters. However, neither the content is on the beginning of any cluster nor I’ve came across any significant information before or after of the content.
The result may be different in the original case because the file system is FAT. Examination is going on. I am going to add the result that I’ll found, here, as a comment. If you have any experience with “deep freeze”, I am waiting your shares.