Leave No Artifacts Behind – Linux Live CDs

Using Linux Live CDs

Requirements

• Linux Bootable Live CD

Why use a Linux Live CD?

There are a few main reasons to use Linux Live CDs for privacy or to hide some of your other activities. For example, when you are browsing web pages there are artifacts or evidence of what you’ve done being cached to the hard drive.

If you are using a browser that has a function like Google Chrome’s “Incognito Mode” then there is still evidence of your activities being cached. One place is the Windows pagefile.sys. Other remnants will probably end up in the unallocated and slack space on the hard drive.

So how does a Linux Live CD leave no evidence behind?

If the distribution you are using does not auto-mount other physical media (hard disks, etc.) attached to the computer during startup or mounts these drives as read-only, then there will be no changes to any data or timestamps on any mounted hard disk attached to that system. Where if you had been using the operating system on one of the attached hard disks, then you would have just left all sorts of evidence of what you’ve been doing behind.

On top of this, the live CD’s operating system is using RAM to store the file system. What this means is that once the computer has been powered off there will be no artifacts or evidence of what you’ve done left on any physical disk in the system. That is unless you had mounted one of the disks with read/write access and proceeded to manipulate files. The computers RAM will in most cases not retain data for more than a few seconds. Thus destroying evidence of what you’ve done on that machine.

When I power off my machine, isn’t all data stored in RAM immediately lost?

Data in DRAM is not immediately lost when a machine is powered down. The data has a “fade” time based on current temperature. It is possible to dump data from RAM that has been cooled down with a spray from an inverted can of compressed air.

An example of where this might happen is lets say you have your laptop (which has one hard drive fully encrypted) locked at the Windows XP login prompt. You’ve already provided the passkey at startup to get to this point. If an examiner wanted to, they could spray the RAM with an inverted can of air to cool it and then remove it from the machine. They could then put the RAM into another computer and with some sort of boot media create a RAM dump that probably contains your encryption key and whatever else was currently loaded in RAM.

You probably won’t have to worry about this when you’re using a Live CD (or worry about it ever anyways). However, it is good to know that this method of data retrieval exists.

What types of live CDs exist for Linux distributions?

There are a multitude of live Linux distributions that can be used. One of the most popular for making forensic copies of hard drives or bit for bit copies of a hard drive is the HELIX3 live cd.

HELIX3 Live CD

Another very popular live distribution is the BackTrack series. These are geared towards penetration testing but they also contain numerous forensics tools. This may very well be the live CD you are using to hide your tracks on a local system in the first place.

Backtrack Linux live CD Distribution

There are literally hundreds of other distributions out there that offer a demo live CD or are themselves just a live CD distribution. You’ll just need to make sure that the distribution you are using is not auto-mounting other physical disks and the partitions on them with read/write access. Unless maybe you need to write something to that disk for whatever reason.

If you don’t want to cover your tracks with a live CD but are more interested in hiding everything on your drive (hey, it’s the only way to be sure) then you would be more interested in this article.

Don’t forget to take the CD with you when you leave.