Excellent tip, thank you!
I'm trying to determine if workstation was used to download/burn the Live CD.
Such things are usually downloaded as an ISO file, so check for such files within the active file system, as well as unallocated space.
Depending upon the version of Windows, I'd check the RecentDocs and ComDlg32 Registry keys for the user, as well as Jump Lists. Also check the download history for any browsers used via the user account.
Do you mean manually carving? If yes, would you have an example on how to do this?
Search the disk in a hex editor (especially in unallocated areas) for signatures characteristic to ISO boot images. Can't give you an example, but you can download several bootable ISO images and quickly discover what's in common to all of them.
If you describe the used live CD (what linux/Windows, what version), we might be able to guess the filename of the iso.
Was it CD or DVD? Anyway, just sorting all files (inc. deleted) by size in reverse will show you any big files that were present and I doubt there are many files above few hundred MBs on the disk.
Once you locate the iso (or img or similar), based on where it was stored (user dir), when was it created (who was logged in at the time) you can link this action to a particular user account. Then going outside DF, you have to confirm that this person was the only feasible to be present at this timeslot on his machine.
Of course, don't forget that s/he can claim s/he did download it, but then someone else boot it.
If this could be proved how would it assist the investigation? Any actions performed under a live bootable are done so in RAM and therefore 'gone' once the user ends the session yes?