Link to home
Start Free TrialLog in
Avatar of IT20701
IT20701Flag for Afghanistan

asked on

How can you tell if a user boots to a cd or flash drive instead of windows on the harddrive?

I need to be able to log when one of my machines is booted into something other than Windows XP.
It is a Dell box OptiPlex 755.
thanks
Avatar of Rich Rumble
Rich Rumble
Flag of United States of America image

You'd have to monitor the bios, or have some sort of hardware device that could log such things. You could get a hardware keylogger to see if you can locate someone typing something you did not type maybe? That's kind of a tough one... you can try, it's an easy bypass especially on a Dell workstation, to set the bios boot password, but if the case locked, using a common pad-lock or key lock, the bios can't be bypassed. Typically all you do is remove a jumper on the motherboard to bypass bios passwords or other bios features, but if the case is locked, they can't do that, and if the password to boot is set, they can't boot even off CD-Rom/USB.
-rich
Avatar of IT20701

ASKER

Hi RichRumble,

I'm trying to give this user as much rope as possible so I can see where he goes. I'd like to be able to log the boots. I have no idea how to do that or if it is possible. I don't want to password protect - again, because I want to see what this guy is up to.

thanks
Hardware keylogger, or traffic sniffer, perhaps both. You will need a hub or a switch that is able to "mirror" one port to another if you want to sniff the traffic. You would then need a second PC to sniff the traffic that is mirrored from your dell network port (or from the hub) and run the program wireshark(aka ethereal) and sniff all the traffic from that PC.
-rich
Avatar of IT20701

ASKER

I was hoping there was something simpler. The problem is, understanding what the sniffer is really saying. I'm a "Jack of all trades, master of none"
Oh well, something new for my resume...
thanks
Keylogger is the simplest thing, you could see the majority of what was going on, but a sniffer is the only other option I can think of. unless you want to pay big $$ for a hardware based sniffer, it's the best bet. WireShark is actually quite a good packet capture program, and it summarizes what each packet was trying to do, as well as provide lots of other detail.
http://images.snapfiles.com/screenfiles/wireshark.gif
http://www.cyberciti.biz/tips/wp-content/uploads/2007/01/wireshark.jpg

Since this person is using a "live cd" and really only using your PC's processor and memory, these are the only options. Nothing is being written to your HD and you have no way to load a program into memory when a live Cd is used, so you have to monitor activity going in (keylogger) and activity going out(sniffer)
-rich


Avatar of IT20701

ASKER

ok, I've downloaded and installed WireShark on my machine so have a vague feel for how it works - quite an interesting little program. But it doesn't allow me to redirect it to monitor a different interface - is this possible with this program or do I need to buy something? If I run it on the machine in question, I know it will be noticed.
ASKER CERTIFIED SOLUTION
Avatar of Rich Rumble
Rich Rumble
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of IT20701

ASKER

Thanks, I'll see what I can whip up tomorrow.