Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How can you tell if a user boots to a cd or flash drive instead of windows on the harddrive?

Posted on 2008-06-24
8
Medium Priority
?
207 Views
Last Modified: 2010-04-26
I need to be able to log when one of my machines is booted into something other than Windows XP.
It is a Dell box OptiPlex 755.
thanks
0
Comment
Question by:IT20701
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 21857034
You'd have to monitor the bios, or have some sort of hardware device that could log such things. You could get a hardware keylogger to see if you can locate someone typing something you did not type maybe? That's kind of a tough one... you can try, it's an easy bypass especially on a Dell workstation, to set the bios boot password, but if the case locked, using a common pad-lock or key lock, the bios can't be bypassed. Typically all you do is remove a jumper on the motherboard to bypass bios passwords or other bios features, but if the case is locked, they can't do that, and if the password to boot is set, they can't boot even off CD-Rom/USB.
-rich
0
 
LVL 2

Author Comment

by:IT20701
ID: 21857222
Hi RichRumble,

I'm trying to give this user as much rope as possible so I can see where he goes. I'd like to be able to log the boots. I have no idea how to do that or if it is possible. I don't want to password protect - again, because I want to see what this guy is up to.

thanks
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 21857376
Hardware keylogger, or traffic sniffer, perhaps both. You will need a hub or a switch that is able to "mirror" one port to another if you want to sniff the traffic. You would then need a second PC to sniff the traffic that is mirrored from your dell network port (or from the hub) and run the program wireshark(aka ethereal) and sniff all the traffic from that PC.
-rich
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 2

Author Comment

by:IT20701
ID: 21857533
I was hoping there was something simpler. The problem is, understanding what the sniffer is really saying. I'm a "Jack of all trades, master of none"
Oh well, something new for my resume...
thanks
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 21858044
Keylogger is the simplest thing, you could see the majority of what was going on, but a sniffer is the only other option I can think of. unless you want to pay big $$ for a hardware based sniffer, it's the best bet. WireShark is actually quite a good packet capture program, and it summarizes what each packet was trying to do, as well as provide lots of other detail.
http://images.snapfiles.com/screenfiles/wireshark.gif
http://www.cyberciti.biz/tips/wp-content/uploads/2007/01/wireshark.jpg

Since this person is using a "live cd" and really only using your PC's processor and memory, these are the only options. Nothing is being written to your HD and you have no way to load a program into memory when a live Cd is used, so you have to monitor activity going in (keylogger) and activity going out(sniffer)
-rich


0
 
LVL 2

Author Comment

by:IT20701
ID: 21858111
ok, I've downloaded and installed WireShark on my machine so have a vague feel for how it works - quite an interesting little program. But it doesn't allow me to redirect it to monitor a different interface - is this possible with this program or do I need to buy something? If I run it on the machine in question, I know it will be noticed.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 1000 total points
ID: 21859133
Well if they are booting off of a "live cd" then they are running an OS from the CD, and literally only using the proc, memory, NIC, keyboard, and mouse. Wireshark is installed on your OS, if they are running their own, by turning your PC of, placing a CD into the cd drive (or using a flash USB device) then wireshark isn't running.
This is where a hub or a switch with port mirroring abilities comes in. In a hub, everything one port sends/receives, is sent to all other ports as well. The reason this is able to work, is because of Mac address of the network cards. The OS sees all the packets, but only looks for the packets with the proper mac address to reply to. When you use wireshark, it ignores mac address's and records everything it sees.
So if you had a second PC, you would run wireshark on that pc, release the ip (ipconfig -release) then fire up wireshark, lock the PC screen and wait. The second PC would recieve all the same traffic that the 1st PC, the opti-plex, sees or sends.

If they have installed another OS on your HD, you could perhaps load a root-kit on that OS and have it log keystrokes etc... but if they are booting off of media you cannot access, the sniffing and hardware logging are the only options I see.
-rich
0
 
LVL 2

Author Closing Comment

by:IT20701
ID: 31470193
Thanks, I'll see what I can whip up tomorrow.
0

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
What we learned in Webroot's webinar on multi-vector protection.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question