I need some help to find evidences of Kon-boot CD usage on an XP workstation into an Active Directory domain.
the usage of the CD is simple : it boots and starts the OS on the hard drive, shows all Windows user's profile(domain and local) and displays a menu. You can choose the user you want to open a session without destroy the password using the "cached credentials" feature. So you have access to the filesystem. If you try to access a share, then a small window bubble appears in the task bar, "Windows needs your current credentials. Please lock this computer, then unlock it using your most recent password or smart card. Please click the icon to see more information."
I'm looking for events on the worksation or the DC in order to find evidence.
Thanks for your help.