Title: A Digital Forensic Approach for Examination and Analysis of Frozen Hard Disk of Virtual Machine

Issue Number: Vol. 8, No. 4
Year of Publication: Dec - 2019
Page Numbers: 262-272
Authors: M. George Christopher, Kumarshankar Raychaudhuri
Journal Name: International Journal of Cyber-Security and Digital Forensics (IJCSDF)
- Hong Kong
DOI:  http://dx.doi.org/10.17781/P002625

Abstract:


There are software tools in the open market which help in safeguarding the computer system from malware, viruses and other unintentional changes to the users Operating System. Faronics’ Deep Freeze is one such type of software, which can be used to freeze any hard drive partition, so that any write operation to that partition is reset once the computer system is shutdown or rebooted. However, from the perspective of Digital Forensics, the same software application can also be used as a perfect anti-forensic tool to leave no traces of any activity, thus adding to the challenges of a forensic analyst. In this research work, our primary objective is to perform a forensic analysis of the Deep Freeze software using various tools and techniques, by collecting volatile and non-volatile data. This would be useful in further examination of the frozen partition of the hard disk in an attempt to recover the data, which might be lost after reboot or shutdown. Lastly, based on the results and conclusions of the experiments, some best practices necessary for handling of computer systems (with frozen virtual hard disks), will be suggested. Such best practices would be enlightening for the forensic practitioners in dealing with cyber-crime cases involving frozen virtual hard drives