Forensic Analysis of Frozen Hard Drive Using Static Forensics Method Faiz Albanna Department of Informatics Islamic University of Indonesia Yogyakarta, Indonesia faiz.albanna@gmail.com Imam Riadi Department of Information Systems Ahmad Dahlan University Yogyakarta, Indonesia imam.riadi@is.uad.ac.id Abstract— Storage on a computer is volatile (RAM) and non- volatile (Hard Dri ve). This research concerned about the hard drive storage of non-volatile with the FAT32 file system that uses the Microsoft Windows Operating System pre-installed Deepfreeze software. All activities to be written on the hard drive partitions which were frozen by Deepfreeze software (frozen hard dri ve) will be returned when the computer restarting or shutdown. That could be difficult to find digital evidence in a crime if frozen hard dri ve has been installed on the computer (evidence) because the digital evidence will be lost when the computer is off. S tatic forensics methods are used when obtaining evidence (computer) is off, the acquisition and analysis can be done perform without turning on the computer. The process to find digital evidence related to file recovery, which is a method to restore data or recover deleted file because there is no longer listed in the file system. In this research, the methods method to find the digital evidence were using file recovery, a technique of carving by type, search by a text string and search by hex value. Digital evidence discovered in the form of image files, document files, Internet history logs, and open recent log, which is located in the unallocated space. Keywords: Digital Forensics; Hard Drive Forensics; Static Forensics; Frozen Hard Drive; File Recovery I. INT RODUCT ION Computer forensics can be used as a tool for perpetrators of computer crime such as theft, embezzlement, and others. Evidence from the computer has appeared in court almost 30 years. A simple definition of computer forensics is a set of procedures for conducting thorough testing on a computer system by using software and tools to restore and preserve evidence in a criminal action (1). In Indonesia, the case of computer crime is increasing every year. In the last decade, there were 563 cases of computer crime with the total number of items of electronic evidence as much as 3,130 units. These statistics show that computer crime is a serious problem in the digital era. Full case of computer crime and computer related crime addressed by Digital Forensic Laboratory of Police Headquarters in 2006 to 2015 is shown in figure 1 (2). Figure 1. Computer crime statistics in Indonesia. In criminal cases involving personal computers with the Windows Operating System, it will be a problem for investigators to find a history, file documents, as well as changes made by the offender when computer evidence is frozen hard drive. According to Faronics, DeepFreeze reducing IT support tickets by 63%, so the majority of offices and internet cafe adopt this software. In Indonesia, most of the cybercriminals prefer to access the internet in those places because their trace in browser history will be erased from memory automatically after the computer itself being restarted. This study is expected to find digital evidence contained on the frozen hard drive by using static forensics methods. In this study, computers are as evidence that has been installed Windows XP operating system, software Deepfreeze version 5, by using the FAT32 file system. II. BASIC THEORY A. Computer Forensics Computer forensics is related to examination and analysis of electronic evidence form of a personal computer, notebook, netbook, and tablet. Examination of evidence is usually associated with file recovery, which is a method for taking a logical file or recover deleted file or lost because there is no longer listed on the file system. The data is required to prove the crime occurred and connected with the offense (3). A file system is a method required by the computer for storage and expenditure data by providing a mechanism for data storage based hierarchy of files and directories (4). International Journal of Computer Science and Information Security (IJCSIS), Vol. 15, No. 1, January 2017 173 https://sites.google.com/site/ijcsis/ ISSN 1947-5500