±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 33982
New Yesterday: 0 Visitors: 161

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

find out if user booted from CD

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2, 3, 4 
  

Re: find out if user booted from CD

Post Posted: Thu Dec 06, 2012 4:15 pm

- digitalcoroner
I'm trying to determine if workstation was used to download/burn the Live CD.


Such things are usually downloaded as an ISO file, so check for such files within the active file system, as well as unallocated space.

Depending upon the version of Windows, I'd check the RecentDocs and ComDlg32 Registry keys for the user, as well as Jump Lists. Also check the download history for any browsers used via the user account.  

keydet89
Senior Member
 
 
  

Re: find out if user booted from CD

Post Posted: Mon Dec 10, 2012 1:33 pm

- digitalcoroner
Do you mean manually carving? If yes, would you have an example on how to do this?

Search the disk in a hex editor (especially in unallocated areas) for signatures characteristic to ISO boot images. Can't give you an example, but you can download several bootable ISO images and quickly discover what's in common to all of them.
_________________
Digital Evidence Extraction Software
belkasoft.com 

Belkasoft
Senior Member
 
 
  

Re: find out if user booted from CD

Post Posted: Tue Jan 01, 2013 1:55 am

If you describe the used live CD (what linux/Windows, what version), we might be able to guess the filename of the iso.

Was it CD or DVD? Anyway, just sorting all files (inc. deleted) by size in reverse will show you any big files that were present and I doubt there are many files above few hundred MBs on the disk.

Once you locate the iso (or img or similar), based on where it was stored (user dir), when was it created (who was logged in at the time) you can link this action to a particular user account. Then going outside DF, you have to confirm that this person was the only feasible to be present at this timeslot on his machine.
Of course, don't forget that s/he can claim s/he did download it, but then someone else boot it.
_________________
Kalin KOZHUHAROV
LOC: Tokyo, JP 

kalin
Newbie
 
 

Page 4 of 4
Go to page Previous  1, 2, 3, 4