Imagine that you need to investigate a bunch of computers in a cybercafe
or even on a company network
to determine which pc was used to commit a crime or fraud.
When you have some keywords
, you could launch every single computer with
a bootable cd (like our FCCU GNU/Linux Forensic
) or floppy disk or usb device.
But what if the computers are stripped down (no cd or floppy drives, no usb ...) or
what if you're just lazy (like every good power user) ?
That's where our FCCU-PXE
method enters the game.
I would like to thank Kent Robotti and his
RIP (Recovery Is Possible)
served as a great start !
1. "Abused" technology
The technology we are going to use, is "PXE (Preboot Execution Environment)
Intel published the specifications
Basically, it comes down to: create a dhcp
server with extended PXE-specific
options, have a PXE boot
server and a network bootstrap
If you're not familiar with all these terms, don't panic, I have made a very simple script
that will generate all this for you. The script will be part of the FCCU GNU/Linux
Forensic CD, starting in version 10
The goal is that even non-linux users must be able to use this method.
Just boot your laptop with the FCCU GNU/linux Forensic CD and sit back until you
see the command line in Bash (something like "root@tty1#").
Now enter :
This script will ask you two questions
1. Which keywords
do you want to search
2. Which devices
should be searched.
This is the easy part, just type in the words you want to search on the harddisk, one per line.
When you're done, press F2
to save the file and F10
If you're new to Linux, most IDE hard drives in Linux systems are accessed
by "/dev/hdx" where "x" can be:
- "a" for the first device on the first IDE controller
(sometimes called "master")
- "b" for the second device on
the first controller ("slave")
- "c" for the first device on the
second IDE controller
- "d" for the second device
of the second IDE controller
External USB disks or SATA disks can be recognized as "/dev/sdx" where "x" should be "a"
for the first usb device, and so on.
If you're not sure how the internal hard drives will be recognized by the FCCU GNU/Linux
Forensic CD, then first boot one target computer with a CD and enter:
# cat /proc/partitions
This will show you enough information to continue.
You can enter more than one device (one per line
It doesn't hurt to put all the IDE devices in the list, if the device is not recognized,
the script will just continue with the next one in the list.
Once done completing the hard drives, you have to press F2
(save) and F10
Sit back, relax and the script will tell you when you can boot the client computers (this
takes some time).
3. Boot the target computers
Before using the FCCU-PXE method you will need to verify that the target
computer is able to boot on PXE LAN
(most computers made after 2001 are).
This can be verified by checking the boot options in the computers BIOS
settings. You will need to see a "PXE" or "Network" boot option.
After verifying the computer is capable booting using PXE, disable all boot
except for the PXE/Network option
. This will help to ensure that
other boot options are not being used when the computer is rebooted.
Be careful if you're working in a production
environment, if there is already a
DHCP server on the network, you could have strange results.
To avoid this problem, I suggest that you take a hub or switch of your own
use with the FCCU-PXE method.
Plug in your laptop together with all the pc's you want to
investigate (you could search the computers with DHCP service stand alone
with a bootable CD Rom) and you should be pretty safe.