.

Kon-boot : finding evidence on a domain workstation...

<<

PhineasGage

User avatar

Newbie
Newbie

Posts: 4

Joined: Sat Nov 28, 2009 1:12 am

Post Mon May 31, 2010 3:00 pm

Kon-boot : finding evidence on a domain workstation...

Hello,

I need some help to find evidences of Kon-boot CD usage on an XP workstation into an Active Directory domain.

the usage of the CD is simple : it boots and starts the OS on the hard drive, shows all Windows user's profile(domain and local) and displays a menu. You can choose the user you want to open a session without destroy the password using the "cached credentials" feature. So you have access to the filesystem. If you try to access a share, then a small window bubble appears in the task bar, "Windows needs your current credentials. Please lock this computer, then unlock it using your most recent password or smart card. Please click the icon to see more information."

I'm looking for events on the worksation or the DC in order to find evidence.

Thanks for your help.
"An expert is a person who has made all the mistakes that can be made in a very narrow field." Niels Bohr
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Mon May 31, 2010 6:49 pm

Re: Kon-boot : finding evidence on a domain workstation...

won't be much help, but checking logs would be a good place to start.

Cisco switches logging to a syslog server can show when a port comes up and goes down. Most likely meaning a reboot.

The other places to look are in the logs on the windows xp system.
OSWP, Sec+
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Mon May 31, 2010 10:40 pm

Re: Kon-boot : finding evidence on a domain workstation...

If the system is booted from the disc, it's going to be tough to find to track it.  The system is booting a read-only volatile OS at that point.  If the native OS is booted,  you can try the following:

You can check the MountedDevices registry key.  If the OS on the HDD is booted and the CD is detected, this key should contain the name of the disc inserted. 

If the disc executes a certain program, it should have a prefetch file located in the %systemroot%\prefetch folder. 

Also, chances are that someone went online looking for this disc prior to using it.  You can check the Internet history on the computer, and if you have proxy logs, there.

Of course, if all else fails, you can do a disk-wide search for a few keywords, like "kon-boot" and see what turns up.  Many times this leads you somewhere interesting. 
~~~~~~~~~~~~~~
Ketchup

Return to Forensics

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software