A interesting case file recently passed my attention regarding kiddy porn
The suspected laptop had windows vista installed across the entire hdd, initial search came back with no results found and has been sent back for further analysis but along with the laptop ceased was a linux live cd.
My question for you is regards to the use of the cd, i am still learning so go easy if anything is wrong.
The cd would have been booted at start up and used in virtual memory (ram) to run and then surf the net and download files but since no file system is ever loaded no trace will be recovered from the hdd.
I know anti-forensics has advanced in recent years with the likes of truecrypt and proxy software such as TOR but the live cd seems to be another tool in the arsenal of criminals.
Not sure what the actual question was here, but you are correct in the useage of the live cd. I run across people using bootable pen drives as well. I fear the only evidence that would remain would be the offenders router back to the ISP. Maybe some router logs, and the like.
Other things that are overlooked or XBOX's, Wii's, PS3's and the like. People can surf the internet on their phones with ease anymore.
The one thing to consider is the pagefile.sys. Some live distros will use this as a temporary file system though most zero it out after the work has been done. Still, I agree that if the scenario is true, the chances of finding anything are slim.
The suspected laptop had windows vista installed across the entire hdd, initial search came back with no results found and has been sent back for further analysis but along with the laptop ceased was a linux live cd.
Do you mean "seized", rather than "ceased"?
My question for you is regards to the use of the cd, i am still learning so go easy if anything is wrong.
The cd would have been booted at start up and used in virtual memory (ram) to run and then surf the net and download files but since no file system is ever loaded no trace will be recovered from the hdd.
If no file system was loaded, where were the "downloaded files" downloaded to?
Sean's suggestion of bootable Linux CD distros using the pagefile.sys on the system as part of a temporary file system is interesting, and certainly more plausible than randomly writing to the drive itself, as doing so runs the risk of damaging the OS on the hard drive beyond repair. Given that, it might be interesting to know which Linux distro is on the live CD, as this might give you some insight into the situation.
I think that the real question here is, what are the goals of your investigation, and do you have all of the necessary data pursuant to those goals? If not, what else would you need?
The file system is loaded in RAM and only RAM is touched, in my experience. This means that when the machine is powered down all data and evidence will eventually "fade" depending on the type of RAM and the temperature of the RAM. The colder it is, the longer the data resides in RAM.
This means that if the suspect was viewing CP from a Linux Live CD and had not mounted any storage media to save the data to, then you're probably out of luck in ever recovering anything from that system because it had only resided in RAM and thus, faded away as it was powered off.
I don't know of any distribution which will use the pagefile.sys but I wouldn't say one doesn't exist.
Sources that might help you
http//
http//
Not related, but I think the term "kiddy porn" is terrible. Not having a go at the OP, just my opinion on the choice of words.
An alternative in English legal terminolgy is Indecent Images of Children or just IIoC for short.
>>snip
I don't know of any distribution which will use the pagefile.sys but I wouldn't say one doesn't exist.It is my understanding that some of the non-tweaked (ie forensic) Knoppix derivatives will set up a swap file on a writeable partition. That was a problem with some of the first Knoppix bootable CDs. You will have to look into the behaviour of the specific flavour of Linux CD you are dealing with.