Investigating DeepFreez

Introduction

First Merry Christmas and Happy New Year.

In this paper I am going to talk about Deep Freeze and how it can play the "Double Edged Sword".

I have spent some of my free time (Christmas + New year Vacation) testing and debugging Deep Freeze. This paper will detail my findings and the way I see this tool as a double edged sword. This paper is NOT a bug report, even thought I have found security issues in Deep Freeze, I am not going to discuss about them in this paper. Also I will show you how to install and run Deep Freeze Professional.

 

What is Deep Freeze anyway ?

[Snap From the link http://www.faronics.com/html/product.asp ]

Deep Freeze protects millions of computers worldwide—24 hours a day, 7 days a week, month after month, year after year—saving countless hours of technical support. Reduce or eliminate technical support time completely and keep expensive computer assets running at 100% capacity. Deep Freeze instantly protects and preserves original computer configurations. Completely invulnerable to hacking, Deep Freeze makes computing environments easier to manage and maintain. Each restart eradicates all changes and resets the computer to its original state, right down to the last byte. Protect a single, hundreds, or thousands of computers across a distributed LAN, WAN or over the Internet.

OK now let us not get all hot about the "protects millions of computers" part, I cannot say or call Deep Freeze a GOOD security product based on my tests, as I said before this paper will NOT talk about any security bug that I have found.

In a nutshell Deep Freeze is good for most users who does not change their system configuration often. Deep Freeze can be good for a LAB where you need to install many applications. It is an OK solution for most home users.  Deep Freeze has two sides, we will call them that Dark and White sides. I will talk more about both sides in the next section.

 

The Dark Side of the Moon

Deep Freeze can be use by the bad peoples too, as example let us take the case of someone called "The_Sicko_CP_Dude_Or_Any_Attacker". All it take for "The_Sicko_CP_Dude_Or_Any_Attacker" is to install Deep Freeze and surf the net without leaving any traces after he reboot his computer. Yes NOT traces will be left on the machine that has Deep Freeze installed, all the surf and email history will be destroyed after the machine is rebooted. So the next reboot "The_Sicko_CP_Dude_Or_Any_Attacker" will enjoy again whatever he is was doing without traces. Deep Freeze does NOT help a CP investigator or any Digital Forensic investigator to that matter.

 

The White Side of the Moon

Deep Freeze can be very useful for Coders, Digital Forensic Investigators, Administrators, Users, and many others. I am going to list some of it is benefits if used on the "White Side of the moon".

 

Installing and Configuring Deep Freeze Professional

When you run Deep Freez Professional Installation (.exe) you should get a screen similar to the one shown here. Just click Next button.

After clicking you agree on the software licensing you will get a screen similar to the one shown here.

Click OK, you are done installing the Administration console. The Console is used to create the client, the client is an executable file that you install on the computer that you are going to Freeze. The installation can run in stealth mode too (this can be used on the Dark side of the moon, Imagine a worm that use the same principle to FREEZE peoples computers).

Next step is to run Deep Freeze Administration Program Console. Start > Run > Programs >

The first time you run Deep Freeze Administration will ask you for a password. The password is used to protect the Administration Program. Enter a password and click OK.

To get a quick help click the tab "Start Here". Basically we will Configure what Disk we Like to Freez and we can assign a password and then we will create the client executable.

Click the tab "Configuration" to set a password. The password will be used to access the client configuration.

The next step we will decide what disk we like to freeze, this can be done by clicking "Configuration" tab and clicking "Forzen Drives" tab.

Next we will create the client executable files. All you need is one files to carry on to freeze any Windows 9X/NT/2K/XP/2K3 based computer.

Save the file created executable file to your disk and you will be ready to start Freezing -:).

If you like to freeze a computer just copy the Freeze.exe to a diskette/CDROM/USB Memory and run it on the target computer that you like to freeze. Again let us talk about the Dark side, since it take only ONE file to freeze a computer imagine our "The_Sicko_CP_Dude_Or_Any_Attacker_Or_Any_Attacker" in a Cyber-Cafe or at his friend house or in the comfort of his own home surfing the net without leaving many traces on his computer.

Note: Once you install Deep Freeze you can run the Administration Program on any other computer too, just by copying this folder C:\Program Files\Faronics\Deep Freeze Professional.

 

Investigating Deep Freeze Traces

Investigators who is investigating a windows based OS should look for Deep Freeze traces. Below is a list of traces that can help you getting started.

Click "View" Select "Hash Sets"

Create a new folder by right clicking.

Right click created folder and Select " Import Hashkeeper"

Close the HASH Windows

Re-open the "Hash Sets" Click "View" Select "Hash Sets", now you should see the new imported Deep Freeze Hash sets.

 

That is all for now, Peace.

Copyright © 2005 www.safehack.com
$Adonis: deepfreez.htm,v 1.00 2005/03/19 Exp $