Subject: FCCU-PXE
Author: Geert Van Acker
Date: 08 Dec 2005
Version: 1.0
Licence: Creative Commons



Imagine that you need to investigate a bunch of computers in a cybercafe or even on a company network to determine which pc was used to commit a crime or fraud. When you have some keywords, you could launch every single computer with a bootable cd (like our FCCU GNU/Linux Forensic CD) or floppy disk or usb device.
But what if the computers are stripped down (no cd or floppy drives, no usb ...) or what if you're just lazy (like every good power user) ?
That's where our FCCU-PXE method enters the game.
I would like to thank Kent Robotti and his RIP (Recovery Is Possible) distro, which served as a great start !

1. "Abused" technology

The technology we are going to use, is "PXE (Preboot Execution Environment)". Intel published the specifications in 1999.
Basically, it comes down to: create a dhcp server with extended PXE-specific options, have a PXE boot server and a network bootstrap program.
If you're not familiar with all these terms, don't panic, I have made a very simple script that will generate all this for you. The script will be part of the FCCU GNU/Linux Forensic CD, starting in version 10.

2. Usage

The goal is that even non-linux users must be able to use this method. Just boot your laptop with the FCCU GNU/linux Forensic CD and sit back until you see the command line in Bash (something like "root@tty1#").
Now enter :

# fccu-pxe.sh

This script will ask you two questions:

1. Which keywords do you want to search

2. Which devices should be searched.


This is the easy part, just type in the words you want to search on the harddisk, one per line. When you're done, press F2 to save the file and F10 to exit.


If you're new to Linux, most IDE hard drives in Linux systems are accessed by "/dev/hdx" where "x" can be:

External USB disks or SATA disks can be recognized as "/dev/sdx" where "x" should be "a" for the first usb device, and so on.
If you're not sure how the internal hard drives will be recognized by the FCCU GNU/Linux Forensic CD, then first boot one target computer with a CD and enter:

# cat /proc/partitions

This will show you enough information to continue.

You can enter more than one device (one per line). It doesn't hurt to put all the IDE devices in the list, if the device is not recognized, the script will just continue with the next one in the list.
Once done completing the hard drives, you have to press F2 (save) and F10 (exit).

Sit back, relax and the script will tell you when you can boot the client computers (this takes some time).

3. Boot the target computers

Before using the FCCU-PXE method you will need to verify that the target computer is able to boot on PXE LAN (most computers made after 2001 are). This can be verified by checking the boot options in the computers BIOS settings. You will need to see a "PXE" or "Network" boot option.

After verifying the computer is capable booting using PXE, disable all boot options except for the PXE/Network option. This will help to ensure that other boot options are not being used when the computer is rebooted.

4. Warnings

Be careful if you're working in a production environment, if there is already a DHCP server on the network, you could have strange results.
To avoid this problem, I suggest that you take a hub or switch of your own to use with the FCCU-PXE method.

Plug in your laptop together with all the pc's you want to investigate (you could search the computers with DHCP service stand alone with a bootable CD Rom) and you should be pretty safe.

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 2.5 License.