Using Linux Live CDs
Requirements
- Linux Bootable Live CD
Why use a Linux Live CD?
There are a few main reasons to use Linux Live CDs for privacy or to hide some of your other activities. For example, when you are browsing web pages there are artifacts or evidence of what you’ve done being cached to the hard drive.
If you are using a browser that has a function like Google Chrome’s “Incognito Mode” then there is still evidence of your activities being cached. One place is the Windows pagefile.sys. Other remnants will probably end up in the unallocated and slack space on the hard drive.
So how does a Linux Live CD leave no evidence behind?
If the distribution you are using does not auto-mount other physical media (hard disks, etc.) attached to the computer during startup or mounts these drives as read-only, then there will be no changes to any data or timestamps on any mounted hard disk attached to that system. Where if you had been using the operating system on one of the attached hard disks, then you would have just left all sorts of evidence of what you’ve been doing behind.
On top of this, the live CD’s operating system is using RAM to store the file system. What this means is that once the computer has been powered off there will be no artifacts or evidence of what you’ve done left on any physical disk in the system. That is unless you had mounted one of the disks with read/write access and proceeded to manipulate files. The computers RAM will in most cases not retain data for more than a few seconds. Thus destroying evidence of what you’ve done on that machine.
When I power off my machine, isn’t all data stored in RAM immediately lost?
Data in DRAM is not immediately lost when a machine is powered down. The data has a “fade” time based on current temperature. It is possible to dump data from RAM that has been cooled down with a spray from an inverted can of compressed air.
An example of where this might happen is lets say you have your laptop (which has one hard drive fully encrypted) locked at the Windows XP login prompt. You’ve already provided the passkey at startup to get to this point. If an examiner wanted to, they could spray the RAM with an inverted can of air to cool it and then remove it from the machine. They could then put the RAM into another computer and with some sort of boot media create a RAM dump that probably contains your encryption key and whatever else was currently loaded in RAM.
You probably won’t have to worry about this when you’re using a Live CD (or worry about it ever anyways). However, it is good to know that this method of data retrieval exists.
What types of live CDs exist for Linux distributions?
There are a multitude of live Linux distributions that can be used. One of the most popular for making forensic copies of hard drives or bit for bit copies of a hard drive is the HELIX3 live cd.
HELIX3 Live CD
Another very popular live distribution is the BackTrack series. These are geared towards penetration testing but they also contain numerous forensics tools. This may very well be the live CD you are using to hide your tracks on a local system in the first place.
Backtrack Linux live CD Distribution
There are literally hundreds of other distributions out there that offer a demo live CD or are themselves just a live CD distribution. You’ll just need to make sure that the distribution you are using is not auto-mounting other physical disks and the partitions on them with read/write access. Unless maybe you need to write something to that disk for whatever reason.
If you don’t want to cover your tracks with a live CD but are more interested in hiding everything on your drive (hey, it’s the only way to be sure) then you would be more interested in this article.
Don’t forget to take the CD with you when you leave. 
Related posts:
- How to Delete Google History – Google Chrome Artifacts and Google Chrome History As of this December in 2009, the Google Chrome web...
Works like a charm
It’s also possible to pull this trick with a usb stick.
Instead of not mounting your drive, you could consider RO mounting. Then you can access documents or exploits for review/use and still leave no trace on the HD itself.
If you move data out of the cd/usb environment, not forget to encrypt it
Yes, great idea. Definitely use some form of encryption or data hiding. It won’t do you any good if you’re raided in connection to something and they find copies of files from the illegally accessed system on your thumb drive.
On windows, I know disabling the page file would cause problems, but how about limiting its size? Would that be any help?
A MICROWAVE OVEN takes care of that THUMBDRIVE incase of loud bangs on the door.
by the way, this Windows boot CD is easy to use and works
Any Secure Linux LiveCD that comes with with Vidalia?
Also how would I be able to use some of my bookmarks in firefox/opera if i am booting up with a live cd? Do I have to download it as an html file from my email / a file share site each time and then load it up or could I access the bookmark file from a partition on my hard disk?
I’ve been using this method for quite sometime now. But instead of those linux distros mentioned above, I use puppylinux. Also, instead of constantly booting from a live CD — which is sometimes quite slow — I did a manual “frugal” install of the OS in my harddisk. In such method, the OS boots faster than in a Live CD but maintains the same effect of booting from a Live CD: fresh OS every boot. After every session, Puppylinux will ask if you want to save the data that you generated during the session in your user space. I personally prefer not to save anything. But If you really want to save your session, t gives you the option to encrypt your user space.
A forensic investigation is not limited to hard drives.