How can I find out if a user booted their computer from a CD?
1. Ask them.
2. Ask others around them.
3. Check the video.
1. Ask them.
2. Ask others around them.
I would add "nicely" wink
jaclaz
Your answers would imply that there is no way to determine this via digital forensic methods?
asking-the-user method doesn't work very well. )
Your answers would imply that there is no way to determine this via digital forensic methods?
asking-the-user method doesn't work very well. )
Well, a bootable CD normally completely by-passes each and every hard disk on the PC during the booting phase, so it leaves no traces whatever.
What you may find (in particular situations) is
- that the BIOS of the PC was set to boot from CD before booting from internal HD (but this means nothing as this is a common enough setting and a number of modern BIOS offer a F11 or F12 option to change boot order on the fly, so besides being unlikely that you find this, the finding wouldn't be conclusive at all)
- if the PC was using Linux and on it no NT system was ever booted, that there is a disk signature in the MBR
- if the user used the booted cd to perform some particular operation on the filesystem or on files that the "resident" OS would be incapable of or "normally" does not perform (are you familiar with needles and haystacks?) this is a "generalization of point #2 above
[/listo]
jaclaz
You may also check what is in the swap partition if a ext file systems formatted HD with a linux distro installed is luckily present in the machine you want to investigate. Some live CD distros may use it.
Your answers would imply that there is no way to determine this via digital forensic methods?
I'm sure that if you reason through your question, you'll see why that is…
If a user inserts a CD into the CD Device and boots off of it, most bootable distros that I'm aware of will create a swap partition in RAM, in addition to loading the entire OS in RAM.
As such, what artifacts would you expect to see?
Would there be anything in pagefile.sys (this is a windows machine)?
Also, where should I look to determine if the user used this machine to burn the CD or viewed its contents prior to booting into it?
You won't get anything from the page file from a suspect booting into the live environment (it doesn't touch the disk remember ) )
You'd be lucky to see any "burning artefacts" within the page file, you could get lucky.
I'd run a keyword search over the whole disk for the iso/cue/image name you might get hits within recent files/jump lists or burning packages/logs etc. then go from there.
I take it your suspect has been accused of using a live CD to perform an action. Did they have a live CD in their possession or just the image? If they are using a live CD, they seem pretty switched on with technology.
If you had the router the suspect used it's possible you'd see the machine mac address connect to it, assuming they didn't have the presence of mind to spoof it.
Hope this helps, Good luck.
The workstation was found booted into the Live Cd.
Thanks for the tips.