±Your Account
Membership:
New Today: 4
New Yesterday: 11
Overall: 24360
Visitors: 134
±Latest Articles
· Catching the ghost: how to discover ephemeral evidence with Live RAM analysis
· Geo-tagging & Photo Tracking On iOS
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
· Geo-tagging & Photo Tracking On iOS
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
±Follow Us
±Latest Jobs
Back to top
Skip to content
Skip to menu
Back to top
Back to main
Skip to menu
Go to page 1, 2, 3, 4 Next
I would add "nicely"
jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. -
Well, a bootable CD normally completely by-passes each and every hard disk on the PC during the booting phase, so it leaves no traces whatever.
What you may find (in particular situations) is:
jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. -
I'm sure that if you reason through your question, you'll see why that is...
If a user inserts a CD into the CD Device and boots off of it, most bootable distros that I'm aware of will create a swap partition in RAM, in addition to loading the entire OS in RAM.
As such, what artifacts would you expect to see?
find out if user booted from CD
find out if user booted from CD
Posted: Mon Dec 03, 2012 7:10 am
How can I find out if a user booted their computer from a CD?
-
digitalcoroner - Member
Re: find out if user booted from CD
Posted: Mon Dec 03, 2012 8:31 am
1. Ask them.
2. Ask others around them.
3. Check the video.
2. Ask others around them.
3. Check the video.
-
keydet89 - Senior Member
Re: find out if user booted from CD
Posted: Mon Dec 03, 2012 8:49 am
- keydet891. Ask them.
2. Ask others around them.
I would add "nicely"
jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. -
-
jaclaz - Senior Member
Re: find out if user booted from CD
Posted: Wed Dec 05, 2012 4:10 am
Your answers would imply that there is no way to determine this via digital forensic methods?
asking-the-user method doesn't work very well.
asking-the-user method doesn't work very well.
-
digitalcoroner - Member
Re: find out if user booted from CD
Posted: Wed Dec 05, 2012 4:38 am
- digitalcoronerYour answers would imply that there is no way to determine this via digital forensic methods?
asking-the-user method doesn't work very well.
Well, a bootable CD normally completely by-passes each and every hard disk on the PC during the booting phase, so it leaves no traces whatever.
What you may find (in particular situations) is:
- that the BIOS of the PC was set to boot from CD before booting from internal HD (but this means nothing as this is a common enough setting and a number of modern BIOS offer a F11 or F12 option to change boot order on the fly, so besides being unlikely that you find this, the finding wouldn't be conclusive at all)
- if the PC was using Linux and on it no NT system was ever booted, that there is a disk signature in the MBR
- if the user used the booted cd to perform some particular operation on the filesystem or on files that the "resident" OS would be incapable of or "normally" does not perform (are you familiar with needles and haystacks?) this is a "generalization of point #2 above
jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. -
-
jaclaz - Senior Member
Re: find out if user booted from CD
Posted: Wed Dec 05, 2012 5:31 am
You may also check what is in the swap partition if a ext file systems formatted HD with a linux distro installed is luckily present in the machine you want to investigate. Some live CD distros may use it.
-
jako822 - Newbie
Re: find out if user booted from CD
Posted: Wed Dec 05, 2012 7:08 am
- digitalcoronerYour answers would imply that there is no way to determine this via digital forensic methods?
I'm sure that if you reason through your question, you'll see why that is...
If a user inserts a CD into the CD Device and boots off of it, most bootable distros that I'm aware of will create a swap partition in RAM, in addition to loading the entire OS in RAM.
As such, what artifacts would you expect to see?
-
keydet89 - Senior Member