±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 0
New Yesterday: 1
Overall: 27354
Visitors: 57

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

find out if user booted from CD

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2, 3, 4  Next 
  

Re: find out if user booted from CD

Post Posted: Wed Dec 05, 2012 10:28 am

I'm trying to determine if workstation was used to download/burn the Live CD.  

digitalcoroner
Member
 
 
  

Re: find out if user booted from CD

Post Posted: Wed Dec 05, 2012 10:46 am

The only other thing that comes to mind is to search for text from the disc, maybe a ReadMe file and search for unique phrases across the exhibits. You might get lucky and find the the files within unallocated.  

Widgit
Member
 
 
  

Re: find out if user booted from CD

Post Posted: Wed Dec 05, 2012 10:58 am

That's a great idea, thanks.  

digitalcoroner
Member
 
 
  

Re: find out if user booted from CD

Post Posted: Thu Dec 06, 2012 4:42 am

- digitalcoroner
I'm trying to determine if workstation was used to download/burn the Live CD.

The first thing that comes to mind is carving the hard drive for a disk image (shouldn't be much of a problem especially if you know exactly what size and format the CD image was in). In addition, you can carve pagefile.sys or volatile memory dump for some content from that Live CD.
_________________
Digital Evidence Extraction Software
belkasoft.com 

Belkasoft
Senior Member
 
 
  

Re: find out if user booted from CD

Post Posted: Thu Dec 06, 2012 4:58 am

Do you mean manually carving? If yes, would you have an example on how to do this?  

digitalcoroner
Member
 
 
  

Re: find out if user booted from CD

Post Posted: Thu Dec 06, 2012 9:51 am

If the machine was booted with a CD on a network (home or work), and it received its IP address dynamically, you could examine the DHCP log files on the server or home router. (Most boot CDs that I've used are set to automatically get their IP addresses from the network DHCP server.)

The give away that it was a boot CD would be finding an entry with the workstation MAC address, but a different Machine Name than the workstation normally has. You may even be able to tie the machine name to boot CD distro if you're lucky.  

erowe
Senior Member
 
 
  

Re: find out if user booted from CD

Post Posted: Thu Dec 06, 2012 10:21 am

Excellent tip, thank you!  

digitalcoroner
Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 3 of 4
Go to page Previous  1, 2, 3, 4  Next