Is there a way to find out if a live CD was used to examine a hard drive? We recovered a stolen laptop and after viewing the security log events, it appears no one logged into it. Considering the suspect was quite computer savvy, I just wanted to know if perhaps a live CD (such as Helix or Knoppix) was used to examine the data on the laptop. Any feedback is always appreciated.
I'd check to see if the system boots to CD before the HD. A savvy person would remember to set the sequence back to the original settings, but it's worth a shot.
By it's nature, Helix avoids mounting HDs writable. More-so most versions have issues writing to NTFS. Someone may know of something I don't but I doubt there'll be a trace on the HD.
A search of other media in possession of the suspect would be more effective.
I would be very surprised if you found anything.
Most of these live CDs (especially forensic ones) are designed to leave untouched the examined computer, so they'll mount drives read only and won't need any swap file.
Not leaving any trace is kind of the fist goal of most of tese distros …
Is there a way to find out if a live CD was used to examine a hard drive? We recovered a stolen laptop and after viewing the security log events, it appears no one logged into it. Considering the suspect was quite computer savvy, I just wanted to know if perhaps a live CD (such as Helix or Knoppix) was used to examine the data on the laptop. Any feedback is always appreciated.
You've apparently got a laptop running some version of Windows (exact version not provided). When you boot the system to a "live CD", apparently a Linux bootable CD, you're booting it to a different operating system. When you insert a CD and boot to, say, Knoppix, you're not actually booting to Windows, so the Windows system isn't active…therefore, you won't find any entries in the Event Log.
HTH,
H
Have not had a chance to review the document, but thumbing through it, it look good.
See this link
http//
This paper describes the examination of the use of five different live CDs in the six-step incident handling process and the subsequent forensic examination of the machines. A brief synopsis of the six step incident handling process to provide the background for the testing conducted. The first part of the examination will be an evaluation of the ability of the live CD to be used for incident response by a first responder. After the first response capability is evaluated, an examination of the
capability of the live CDs to carry out the initial forensics imaging will be conducted.
The test procedures used on a Windows XP and Linux machines are described including the sets of commands that simulate the first responder actions each operating system. The advantages and disadvantages of using each live CD for incident response and their effect on the forensic process are examined on the basis of the testing.
I would imagine that unless the user explicitly mounted a file system on the hard drive in question in such a manner that date/time stamps changed, or the Linux CD mounted it automatically, then you wouldn't know if the computer was booted with a Linux CD, presuming the system is set to boot from the CD/DVD device first. And unless the system was set up for manual detection (such as the placement of a material that would change if the CD/DVD tray were opened or a USB port was plugged into) of "tampering" …
This has always been my reason for wanting a smart BIOS, one that stores the last boot date/time stamp and which device was booted. I've sometimes wondered why the manufacturers haven't done this already. But, with identify theft, loss of systems with personal data, and the changing legal environment, perhaps the day of the smart BIOS is coming. )
regards,
farmerdude