How to determine if notebook has been acessed by live usb O/S

Discussion in 'privacy problems' started by Willmar, Dec 25, 2015.

  1. Willmar

    Willmar Registered Member

    Oct 29, 2013
    Is this possible to tell?

    I'm thinking that if windows itself hasn't been booted there won't be any traces there.

    USBDeview doesn't show anything.
  2. amarildojr

    amarildojr Registered Member

    Aug 8, 2013
    I don't think there are easy ways of telling. Most non-HD memories are volatile and gets destroyed after reboot or shutdown.
  3. deBoetie

    deBoetie Registered Member

    Aug 7, 2013
    To monitor as opposed to prevent, I think you'd have to be looking at physical tells.

    Any logging would have to be at BIOS level, not aware of mainstream BIOS that would do that.

    Is your concern OS/data (FDE would be a control for that, or TPM secure boot), or someone messing with the MBR etc (Evil Maid)?
  4. Palancar

    Palancar Registered Member

    Oct 26, 2011
    Yep, I think all three of us are wondering how to help you. I'ld say you are safe if your computer doesn't have a hard drive. If it does have a windows OS on a hard drive I would recommend using full disk encryption on Windows to make sure nothing changes on the hard drive. LIVE disks are designed not to change stuff on the hard drive, but operator errors allow for accidents, which is why I recommend encryption to eliminate traces from such errors.
  5. MisterB

    MisterB Registered Member

    May 31, 2013
    Southern Rocky Mountains USA
    There are some BIOSes that might be able to do this. There is an Intel module that is in many of their processors referred to as AMT that could in theory do this. It is a module with separate processor running its own code that can check the integrity of the main system and can't be touched by it. It can run when a laptop is turned off as long as there is a battery in it. As far as I can tell, it is mainly used by corporate IT systems to monitor employee laptops and I'm sure it could log all USB access if programed to do so and report that access to whoever administrates it. Scary stuff but interesting too. I haven't checked Intel to see if I can get the software to administer it myself but it I wouldn't mind playing with it a bit if I had the right software.
  6. inka

    inka Registered Member

    Oct 21, 2009
    For several years now, nearly all hard drives contain an inbuilt S.M.A.R.T. controller.
    Continually, during operation, the controller cumulatively logs events/stats regarding the drive.

    You can use a freeware S.M.A.R.T. diagnostics utility, on demand, to read the logged data.
    The "detail of interest" for you, here, is "POH" (power-on-hours).
    At shutdown, if you check (and jot down, for later reference) the POH total...

    ...when you next use the laptop, recheck the POH value to determine whether the laptop has been powered on during your absence.


    a related note:

    Check the features/settings provided by the notebook's BIOS. You'll probably find that you can selectively restrict / disable individual boot devices. If so, consider marking the settings to disallow boot from USB devices and or CD-ROM, then apply an administrative BIOS setup password.
    Last edited: Dec 28, 2015