±Your Account
Membership:
New Today: 4
New Yesterday: 10
Overall: 24370
Visitors: 39
±Latest Articles
· Catching the ghost: how to discover ephemeral evidence with Live RAM analysis
· Geo-tagging & Photo Tracking On iOS
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
· Geo-tagging & Photo Tracking On iOS
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
±Follow Us
±Latest Jobs
Back to top
Skip to content
Skip to menu
Back to top
Back to main
Skip to menu
Go to page Previous 1, 2, 3, 4 Next
The first thing that comes to mind is carving the hard drive for a disk image (shouldn't be much of a problem especially if you know exactly what size and format the CD image was in). In addition, you can carve pagefile.sys or volatile memory dump for some content from that Live CD.
_________________
Digital Evidence Extraction Software
belkasoft.com
find out if user booted from CD
Re: find out if user booted from CD
Posted: Wed Dec 05, 2012 10:28 am
I'm trying to determine if workstation was used to download/burn the Live CD.
-
digitalcoroner - Member
Re: find out if user booted from CD
Posted: Wed Dec 05, 2012 10:46 am
The only other thing that comes to mind is to search for text from the disc, maybe a ReadMe file and search for unique phrases across the exhibits. You might get lucky and find the the files within unallocated.
-
Widgit - Member
-
digitalcoroner - Member
Re: find out if user booted from CD
Posted: Thu Dec 06, 2012 4:42 am
- digitalcoronerI'm trying to determine if workstation was used to download/burn the Live CD.
The first thing that comes to mind is carving the hard drive for a disk image (shouldn't be much of a problem especially if you know exactly what size and format the CD image was in). In addition, you can carve pagefile.sys or volatile memory dump for some content from that Live CD.
_________________
Digital Evidence Extraction Software
belkasoft.com
-
Belkasoft - Senior Member
Re: find out if user booted from CD
Posted: Thu Dec 06, 2012 4:58 am
Do you mean manually carving? If yes, would you have an example on how to do this?
-
digitalcoroner - Member
Re: find out if user booted from CD
Posted: Thu Dec 06, 2012 9:51 am
If the machine was booted with a CD on a network (home or work), and it received its IP address dynamically, you could examine the DHCP log files on the server or home router. (Most boot CDs that I've used are set to automatically get their IP addresses from the network DHCP server.)
The give away that it was a boot CD would be finding an entry with the workstation MAC address, but a different Machine Name than the workstation normally has. You may even be able to tie the machine name to boot CD distro if you're lucky.
The give away that it was a boot CD would be finding an entry with the workstation MAC address, but a different Machine Name than the workstation normally has. You may even be able to tie the machine name to boot CD distro if you're lucky.
-
erowe - Senior Member
-
digitalcoroner - Member