±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 34298
New Yesterday: 0 Visitors: 244

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

find out if user booted from CD

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2, 3, 4  Next 
  

Re: find out if user booted from CD

Post Posted: Wed Dec 05, 2012 1:47 pm

Would there be anything in pagefile.sys (this is a windows machine)?

Also, where should I look to determine if the user used this machine to burn the CD or viewed its contents prior to booting into it?  

digitalcoroner
Member
 
 
  

Re: find out if user booted from CD

Post Posted: Wed Dec 05, 2012 2:09 pm

You won't get anything from the page file from a suspect booting into the live environment (it doesn't touch the disk remember Smile )

You'd be lucky to see any "burning artefacts" within the page file, you could get lucky.

I'd run a keyword search over the whole disk for the iso/cue/image name you might get hits within recent files/jump lists or burning packages/logs etc. then go from there.

I take it your suspect has been accused of using a live CD to perform an action. Did they have a live CD in their possession or just the image? If they are using a live CD, they seem pretty switched on with technology.

If you had the router the suspect used it's possible you'd see the machine mac address connect to it, assuming they didn't have the presence of mind to spoof it.

Hope this helps, Good luck.  

Widgit
Member
 
 
  

Re: find out if user booted from CD

Post Posted: Wed Dec 05, 2012 2:12 pm

The workstation was found booted into the Live Cd.

Thanks for the tips.  

digitalcoroner
Member
 
 
  

Re: find out if user booted from CD

Post Posted: Wed Dec 05, 2012 2:25 pm

Ah ok, that changes things slightly. Did you get a live acquisition? The majority of your material would want to have been grabbed at seizure/discovery of the live environment. You'll lose your best evidence once the power cable is pulled.

If the machine was found running a live CD the "Did the suspect run the disc" is almost a given? Is it just a matter of confirming which machine created the disc? Have you got the same version of live environment within the image and on the disc? That goes some way towards evidence.

If for example myLiveEnvironmentV2.iso was found, do the file hashes match those on the seized disc, or is the cd image out of date?

Were they using the live cd in conjunction with a storage medium? Maybe USB, SD card? If these were discounted as useless/empty/corrupted at first glance I'd be trying to check for encryption containers on them.  

Widgit
Member
 
 
  

Re: find out if user booted from CD

Post Posted: Wed Dec 05, 2012 2:27 pm

- digitalcoroner
Would there be anything in pagefile.sys (this is a windows machine)?

No.
As a matter of fact, IF the booted CD was this one:
reboot.pro/topic/3890-...ct-etboot/
then maybe, IF it was badly built, and it crashed, it could have made use of the internal hard disk pagefile.sys
But probabilities are like 12.37 zillions to 1 against or very, very low.

- digitalcoroner

Also, where should I look to determine if the user used this machine to burn the CD or viewed its contents prior to booting into it?

In the usual places, recently opened files, setupapi.log and/or USBstor related keys in the Registry(if the CD burner was an "external" one), etc.

- digitalcoroner

The workstation was found booted into the Live Cd.

Good, then WHY would you want to determine if it was booted form the live CD "with forensic methods"?
(you already know from direct experience this kind of info)
WHAT was the booted cd?
A linux distro, a PE of some kind, a DOS bootdisk, etc., etc.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: find out if user booted from CD

Post Posted: Wed Dec 05, 2012 2:47 pm

If the machine was found running a live CD the "Did the suspect run the disc" is almost a given?


Not necessarily. User claims someone else booted the CD on his workstation. I'm looking for forensic evidence to show that the user booted the Live CD.

Is it just a matter of confirming which machine created the disc? Have you got the same version of live environment within the image and on the disc? That goes some way towards evidence.

I think confirming that this machine also downloaded and/or created the image would confirm that the user booted the CD in their machine.

Yes, I have the Live CD but have not found an .iso on the machine.

If for example myLiveEnvironmentV2.iso was found, do the file hashes match those on the seized disc, or is the cd image out of date?

I have not found the iso file on the workstation. Otherwise, yes, that's what I'd do next, run hashes.

Were they using the live cd in conjunction with a storage medium? Maybe USB, SD card? If these were discounted as useless/empty/corrupted at first glance I'd be trying to check for encryption containers on them.

No external medium was found.

jaclaz,
I'm trying to connect a user or at least a user profile to the event. Having found the Live CD booted on this user's workstation isn't enough evidence as they claim it was someone else, thus the forensic approach.  

digitalcoroner
Member
 
 
  

Re: find out if user booted from CD

Post Posted: Wed Dec 05, 2012 2:59 pm

@digitalcoroner
With all due respect, you are seemingly on a wild goose chase. Shocked

Compare with this:
www.forensicfocus.com/...9/#6552289

If the machine was booted from a Live CD obviously no particular "user profile" on the "resident" OS would be connected to booting.

In any case proving "whose posterior" was on the chair is something that without witnesses or "physical evidence" (photos, videos, fingerprints, DNA and what not) is very, very hard, even if a given user's profile was used to access the PC (the "resident" OS on it), the account could have been compromised and "someone else" could have used it, possibly an exception (still in theory possible to workaround) being an actual hardware fingerprint scanning authentication.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 

Page 2 of 4
Go to page Previous  1, 2, 3, 4  Next