Hello,

I need some help to find evidences of Kon-boot CD usage on an XP workstation into an Active Directory domain.

the usage of the CD is simple : it boots and starts the OS on the hard drive, shows all Windows user's profile(domain and local) and displays a menu. You can choose the user you want to open a session without destroy the password using the "cached credentials" feature. So you have access to the filesystem. If you try to access a share, then a small window bubble appears in the task bar, "Windows needs your current credentials. Please lock this computer, then unlock it using your most recent password or smart card. Please click the icon to see more information."

I'm looking for events on the worksation or the DC in order to find evidence.

Thanks for your help.

If the system is booted from the disc, it's going to be tough to find to track it.   The system is booting a read-only volatile OS at that point.   If the native OS is booted,  you can try the following:

You can check the MountedDevices registry key.   If the OS on the HDD is booted and the CD is detected, this key should contain the name of the disc inserted. 

If the disc executes a certain program, it should have a prefetch file located in the %systemroot%\prefetch folder. 

Also, chances are that someone went online looking for this disc prior to using it.  You can check the Internet history on the computer, and if you have proxy logs, there.

Of course, if all else fails, you can do a disk-wide search for a few keywords, like "kon-boot" and see what turns up.   Many times this leads you somewhere interesting.