find out if user bo...
 
Notifications
Clear all

find out if user booted from CD

25 Posts
9 Users
0 Likes
1,593 Views
(@digitalcoroner)
Posts: 46
Eminent Member
Topic starter
 

How can I find out if a user booted their computer from a CD?

 
Posted : 03/12/2012 5:10 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

1. Ask them.

2. Ask others around them.

3. Check the video.

 
Posted : 03/12/2012 6:31 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

1. Ask them.

2. Ask others around them.

I would add "nicely" wink

jaclaz

 
Posted : 03/12/2012 6:49 pm
(@digitalcoroner)
Posts: 46
Eminent Member
Topic starter
 

Your answers would imply that there is no way to determine this via digital forensic methods?

asking-the-user method doesn't work very well. )

 
Posted : 05/12/2012 2:10 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Your answers would imply that there is no way to determine this via digital forensic methods?

asking-the-user method doesn't work very well. )

Well, a bootable CD normally completely by-passes each and every hard disk on the PC during the booting phase, so it leaves no traces whatever.
What you may find (in particular situations) is

  1. that the BIOS of the PC was set to boot from CD before booting from internal HD (but this means nothing as this is a common enough setting and a number of modern BIOS offer a F11 or F12 option to change boot order on the fly, so besides being unlikely that you find this, the finding wouldn't be conclusive at all)
  2. if the PC was using Linux and on it no NT system was ever booted, that there is a disk signature in the MBR
  3. if the user used the booted cd to perform some particular operation on the filesystem or on files that the "resident" OS would be incapable of or "normally" does not perform (are you familiar with needles and haystacks?) this is a "generalization of point #2 above
  4. [/listo]

    jaclaz

 
Posted : 05/12/2012 2:38 pm
(@jako822)
Posts: 5
Active Member
 

You may also check what is in the swap partition if a ext file systems formatted HD with a linux distro installed is luckily present in the machine you want to investigate. Some live CD distros may use it.

 
Posted : 05/12/2012 3:31 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Your answers would imply that there is no way to determine this via digital forensic methods?

I'm sure that if you reason through your question, you'll see why that is…

If a user inserts a CD into the CD Device and boots off of it, most bootable distros that I'm aware of will create a swap partition in RAM, in addition to loading the entire OS in RAM.

As such, what artifacts would you expect to see?

 
Posted : 05/12/2012 5:08 pm
(@digitalcoroner)
Posts: 46
Eminent Member
Topic starter
 

Would there be anything in pagefile.sys (this is a windows machine)?

Also, where should I look to determine if the user used this machine to burn the CD or viewed its contents prior to booting into it?

 
Posted : 05/12/2012 6:47 pm
(@widgit)
Posts: 11
Active Member
 

You won't get anything from the page file from a suspect booting into the live environment (it doesn't touch the disk remember ) )

You'd be lucky to see any "burning artefacts" within the page file, you could get lucky.

I'd run a keyword search over the whole disk for the iso/cue/image name you might get hits within recent files/jump lists or burning packages/logs etc. then go from there.

I take it your suspect has been accused of using a live CD to perform an action. Did they have a live CD in their possession or just the image? If they are using a live CD, they seem pretty switched on with technology.

If you had the router the suspect used it's possible you'd see the machine mac address connect to it, assuming they didn't have the presence of mind to spoof it.

Hope this helps, Good luck.

 
Posted : 05/12/2012 7:09 pm
(@digitalcoroner)
Posts: 46
Eminent Member
Topic starter
 

The workstation was found booted into the Live Cd.

Thanks for the tips.

 
Posted : 05/12/2012 7:12 pm
Page 1 / 3
Share: