Educause Security Discussion mailing list archives

Re: Deepfreeze - Why not?

From: "Mclaughlin, Kevin (mclaugkl)" <mclaugkl () UCMAIL UC EDU>
Date: Thu, 17 Nov 2011 22:17:59 -0500

I wonder if it would be worthwhile to tie this thread into thought discussions on the large scale relatively 
undiscovered theft and siphoning off of intellectual property from IHE’s.    I guess what I am really stuck on and 
trying to figure out is whether or not we continue to make decisions of convenience to/for IT when those decisions may 
be ones that make it easier for the bad guys to access data and infrastructure that we don’t want them to access?   I’m 
not saying that this is happening but my gut tells me that it’s worth taking a good hard look at.

However, if forensic tools and carving still work on a DeepFreeze machine then most of my arguments and concerns are 
moot.  Would anyone on the thread who uses DeepFreeze be willing to run an image through FTK or send me an image to run 
through FTK so we could see what results we get?

- Kevin


Kevin L. McLaughlin,  CISM, CISSP, GIAC-GSLC, CRISC, PMP, ITIL Master Certified
Assistant Vice President, Information Security & Special Projects
University of Cincinnati
513-556-9177

The University of Cincinnati is one of America's top public research institutions and the region's largest employer, 
with a student population of more than 41,000.

[cid:image001.gif@01CCA576.4C2E52D0]

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Rich 
Graves
Sent: Thursday, November 17, 2011 9:56 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Deepfreeze - Why not?

A skilled, motivated forensicator can recover data from a DeepFrozen machine. I've seen it done. Civilians would have 
to resort to file carving, but the company is willing to assist help enforcement understand how data is written.

In incidents of sufficient severity, security cameras and witnesses may be more important than digital evidence in 
placing a particular person at a particular keyboard.
--
Rich Graves http://claimid.com/rcgraves
Carleton.edu Sr UNIX and Security Admin
CMC135: 507-222-7079 Cell: 952-292-6529

Current thread:

Re: Deepfreeze - Why not?, (continued)
- Re: Deepfreeze - Why not? Heath Barnhart (Nov 17)
- Re: Deepfreeze - Why not? Gibson, Nathan J. (HSC) (Nov 17)
- Re: Deepfreeze - Why not? Rob Whalen (Nov 17)
  - Re: Deepfreeze - Why not? Mclaughlin, Kevin (mclaugkl) (Nov 17)
    - Re: Deepfreeze - Why not? Michael Sana (Nov 17)
    - Re: Deepfreeze - Why not? Schoenefeld, Keith P. (Nov 17)
    - Re: Deepfreeze - Why not? Ryan Hiebert (Nov 17)
    - Re: Deepfreeze - Why not? Dave Koontz (Nov 17)
- Re: Deepfreeze - Why not? SCHALIP, MICHAEL (Nov 17)
  - Re: Deepfreeze - Why not? Rich Graves (Nov 17)
    - Re: Deepfreeze - Why not? Mclaughlin, Kevin (mclaugkl) (Nov 17)
    - Re: Deepfreeze - Why not? Tim Doty (Nov 18)
  - Re: Deepfreeze - Why not? Heath Barnhart (Nov 18)
    - Malware forensics Nevin, David (Nov 18)
    - Re: Malware forensics Mclaughlin, Kevin (mclaugkl) (Nov 18)
    - Re: Malware forensics Brian J Smith-Sweeney (Nov 20)
    - Re: Malware forensics Nevin, David (Nov 28)
  - Re: Deepfreeze - Why not? Kevin Kelly (Nov 18)
    - Re: Deepfreeze - Why not? Mclaughlin, Kevin (mclaugkl) (Nov 18)