Virtual Anti-Forensics
by Israel
No matter who we are, most us have a secret.
Not just any secret, but one we would rather bury dead babies than talk about. With that being said, I, the author, only endorse the use of this article for legal usage. I hold no responsibility if this article is used otherwise. The purpose of this is to help secrets remain secret!
First of all, I'm going to make an assumption that you have Linux installed on your hard drive and some form of software to play virtual machines. Additionally, due to the fact that Mac OS X, along with Linux, is being forged from the flames of UNIX, these techniques may work there as well. I'm also sure the following is different, but possible on Windoze. For now we'll just stick with Linux.
We are now going to hypothetically paint a picture that you just can't seem to get a Jonas Brothers' song out of your head.
You secretly like one guitar solo but would just die if anyone found out. What's worse is that your roommate is a nosy forensics expert who is always searching your drive when you are away at work. (It's a stretch, just go with me for a minute).
Worse yet, he's getting smarter.
Not only can he search your drive, he can search your RAM! We could use a live Linux distribution, but that's no good against a cold boot attack. Even though the disk was never touched, the RAM still holds tons of traces of your every step until it is eventually overwritten. All you want is to hear that guitar solo before work, but he would never let you live down a secret obsession with the Jonas Brothers. Who would?
First, we open our command line in Linux and take a few steps:
Most of this should be self explanatory.
The /dev/shm directory might be a little new to you. Much like the /proc directory, this is a virtual file system. The only difference is that we can't create directories in /proc, even as root.
/dev/shm looks like it's a normal directory, but nothing here is saved to disk.
I know what some of you are thinking: "Wait! When RAM is full, this will also be paged into swap which is on disk!" We'll get to that later.
For now just know that we made a directory there called "mine" then downloaded and moved an ISO file of the ever popular BackTrack into it. Any live distribution should work here, and we can call the directory we made anything we want. The important part is that we download with GNU Wget from the /dev/shm/mine directory so it is not downloaded to disk.
Now we need to copy a virtual machine already on our disk to this directory.
For now we will just pretend that the virtual machine we copied from disk has Windoze XP installed on it. Just go ahead and copy the whole folder the VM is in to /dev/shm/mine.
If we were using VMWare Workstation, we could easily go into the machine's settings under the hardware tab, select CD/DVD, and choose to boot from an ISO file instead of the current OS on the virtual disk.
We change this to the location of our BackTrack ISO in /dev/shm and load it up. Now we are going to be running BackTrack from the virtual RAM of the virtual machine. We do our dirty work from inside here. We start up Firefox and finally listen to that song on YouTube.
It's almost time for work, though!
After we log out of BackTrack, we copy the original instance of the XP machine folder to /dev/shm/mine again.
When asked, choose to overwrite the file. his is very important because if we merely deleted this virtual machine, it could still be easily recovered.
Overwriting the file would help force the data in that memory location to be changed.
We could also rename and overwrite the BackTrack ISO with another ISO if we felt the need. Another possibility could be to overwrite the "mine" folder we created with another containing pictures or something else. Now our stalker roommate will have the challenge of searching for our secret inside the overwritten RAM of a virtual machine that is spread across overwritten locations of RAM and swap.
If he can pull this off, my hat is off to him.
But for now, no one knows my secret. Except you...