StealthAudit will provide information more from servers and Active Directory than from the individual workstation. WireShark is an excellent tool that can track network traffic from the target machine. However, Wireshark will only show you what is passed across the network, not from the hard drive to the USB device. WireShark will show you when a system goes off the line, though, as in a reboot. If the Live-CD is booted using network access, it may attempt to get DHCP for an IP address on the local network, and may attempt to pass some traffic if the local network gives it an IP number. WireShark will capture that information. But that assumes that WireShark is set up and running on a system connected to the same hub as the target system, at the time the target system is being compromised.

A keystroke logger, as mentioned in a previous post, may be worth looking at. The logger will capture keystrokes on the system and send them to the remote collector in chunks at random times. WireShark will see this traffic, though it will probably be encrypted and unreadable right off the wire. Decryption of the traffic may take days, if a good encryption tool is used. Or seconds if a weak one is used.

A more likely scenario may involve a rootkit installed when the system is vulnerable (Doctor leaves keycard in system while going off to drain snake), and the rootkit searches and finds certain information on the local system, the servers and other workstations on the network, compiles it and ships it to a remote system (bad guys). Rootkit is virtually undetectable until WireShark shows the reconnaisance of the network and the transmission of the file packages. Again, this assumes that you have a tool in place when the bad stuff happens so you can catch it, and you have alerts set for the type of activity you didn't know would be on your network.

SNORT may be a better tool to have in place in the network. The backstory justification can be that you are using SNORT for IDS and HIPPA compliance and have custom alerts for files leaving the network that contain certain data. SNORT can alert the network admin to the recon activity of the rootkit or the attempt to ship data to remote systems. This might alert, but the network admin may not have the pager on and won't see it until the next day, when it was too late?

Now I've gone and confused you. Just slap me.