Ah ok, that changes things slightly. Did you get a live acquisition? The majority of your material would want to have been grabbed at seizure/discovery of the live environment. You'll lose your best evidence once the power cable is pulled.
If the machine was found running a live CD the "Did the suspect run the disc" is almost a given? Is it just a matter of confirming which machine created the disc? Have you got the same version of live environment within the image and on the disc? That goes some way towards evidence.
If for example myLiveEnvironmentV2.iso was found, do the file hashes match those on the seized disc, or is the cd image out of date?
Were they using the live cd in conjunction with a storage medium? Maybe USB, SD card? If these were discounted as useless/empty/corrupted at first glance I'd be trying to check for encryption containers on them.
Would there be anything in pagefile.sys (this is a windows machine)?
No.
As a matter of fact, IF the booted CD was this one
http//
then maybe, IF it was badly built, and it crashed, it could have made use of the internal hard disk pagefile.sys
But probabilities are like 12.37 zillions to 1 against or very, very low.
Also, where should I look to determine if the user used this machine to burn the CD or viewed its contents prior to booting into it?
In the usual places, recently opened files, setupapi.log and/or USBstor related keys in the Registry(if the CD burner was an "external" one), etc.
The workstation was found booted into the Live Cd.
Good, then WHY would you want to determine if it was booted form the live CD "with forensic methods"?
(you already know from direct experience this kind of info)
WHAT was the booted cd?
A linux distro, a PE of some kind, a DOS bootdisk, etc., etc.
jaclaz
If the machine was found running a live CD the "Did the suspect run the disc" is almost a given?
Not necessarily. User claims someone else booted the CD on his workstation. I'm looking for forensic evidence to show that the user booted the Live CD.
Is it just a matter of confirming which machine created the disc? Have you got the same version of live environment within the image and on the disc? That goes some way towards evidence.
I think confirming that this machine also downloaded and/or created the image would confirm that the user booted the CD in their machine.
Yes, I have the Live CD but have not found an .iso on the machine.
If for example myLiveEnvironmentV2.iso was found, do the file hashes match those on the seized disc, or is the cd image out of date?
I have not found the iso file on the workstation. Otherwise, yes, that's what I'd do next, run hashes.
Were they using the live cd in conjunction with a storage medium? Maybe USB, SD card? If these were discounted as useless/empty/corrupted at first glance I'd be trying to check for encryption containers on them.
No external medium was found.
jaclaz,
I'm trying to connect a user or at least a user profile to the event. Having found the Live CD booted on this user's workstation isn't enough evidence as they claim it was someone else, thus the forensic approach.
@digitalcoroner
With all due respect, you are seemingly on a wild goose chase. 😯
Compare with this
http//www.forensicfocus.com/Forums/viewtopic/p=6552289/#6552289
If the machine was booted from a Live CD obviously no particular "user profile" on the "resident" OS would be connected to booting.
In any case proving "whose posterior" was on the chair is something that without witnesses or "physical evidence" (photos, videos, fingerprints, DNA and what not) is very, very hard, even if a given user's profile was used to access the PC (the "resident" OS on it), the account could have been compromised and "someone else" could have used it, possibly an exception (still in theory possible to workaround) being an actual hardware fingerprint scanning authentication.
jaclaz
I'm trying to determine if workstation was used to download/burn the Live CD.
The only other thing that comes to mind is to search for text from the disc, maybe a ReadMe file and search for unique phrases across the exhibits. You might get lucky and find the the files within unallocated.
That's a great idea, thanks.
I'm trying to determine if workstation was used to download/burn the Live CD.
The first thing that comes to mind is carving the hard drive for a disk image (shouldn't be much of a problem especially if you know exactly what size and format the CD image was in). In addition, you can carve pagefile.sys or volatile memory dump for some content from that Live CD.
Do you mean manually carving? If yes, would you have an example on how to do this?
If the machine was booted with a CD on a network (home or work), and it received its IP address dynamically, you could examine the DHCP log files on the server or home router. (Most boot CDs that I've used are set to automatically get their IP addresses from the network DHCP server.)
The give away that it was a boot CD would be finding an entry with the workstation MAC address, but a different Machine Name than the workstation normally has. You may even be able to tie the machine name to boot CD distro if you're lucky.