Nerdpedes,
have a look at
https://security.stackexchange.com/questions/64915/what-are-the-biggest-security-concerns-on-pxe
Best of:
I can capture a full machine image. Do your systems automatically connect to the domain controller after setting up the machine? If so, this image probably has domain controller credentials on it, that I can capture and use elsewhere.
Computer makes a DHCP request --> DHCP server responds with address and PXE parameters --> Computer downloads boot image using TFTP over UDP
If the good guys got the traffic on that low level, unencrypted. Then they would have it all.
It depends. Data written to a flash or SSD drive, before either deleting the file and/or reformattng can often be recovered -- easily so, if that region of the drive has not yet been rewritten over with other data. If it has, there are forensic IT tools which can still sometimes recover the old data using statistical analysis and other techniques.
However, an OS which is loaded via PXE, and running in RAM only would leave very little evidence behind, assuming all operations it performed were also in RAM only, once the machine were rebooted (clearing anything in RAM). Analyzing what was previously only in RAM is also possible, but requires more expertise, and favorable conditions.
Also worth mentioning, is that some newer computers and devices often have a built-in 'side computer' which can be running and even accessed remotely, even when the main computer is turned off. The marketing reason for this is to enable remote administration/IT assistance, even when a machine has crashed or is not booted nor powered on.
Thank you for the great info. to your last statement, I know some HP enterprise servers have a separate NIC and rom for remote built in.
HP, Dell, IBM. They all have that. DRAC or ILO, each their own version of the same thing. Access to power cycle, BIOS, and to the OS if it is running.
IME