Kon-boot : finding evidence on a domain workstation...

Hi,

I have not performed extensive testing about Kon-Boot but I don't think it will leave conclusive traces that it has been used…. so I would look for the following in the local and DC windows events

- Failed attemps to logon to a domain account you imply in your message that kon-boot allows to bypass the password for a domain account, but I think it only works reliably on local ones. I have read something about it being able to use cached credentials to logon, but in my limited testing it did not succeed.
- Successful logons using local accounts, for the same reason.
- Failed attempts to access EFS data (if present).
- Failed attempts to access network resources .

Best of luck!

Hello,

I need some help to find evidences of Kon-boot CD usage on an XP workstation into an Active Directory domain.

the usage of the CD is simple it boots and starts the OS on the hard drive, shows all Windows user's profile(domain and local) and displays a menu. You can choose the user you want to open a session without destroy the password using the "cached credentials" feature. So you have access to the filesystem. If you try to access a share, then a small window bubble appears in the task bar, "Windows needs your current credentials. Please lock this computer, then unlock it using your most recent password or smart card. Please click the icon to see more information."

I'm looking for events on the worksation or the DC in order to find evidence.

Thanks for your help.

you imply in your message that kon-boot allows to bypass the password for a domain account, but I think it only works reliably on local ones.

Thanks for you help. I've performed the test with a domain account and when i've tried to acess a share, i've saw the message "Windows needs your current credentials. Please lock this computer, then unlock it using your most recent password or smart card. Please click the icon to see more information." The Kerberos security is welcome in this case 😉