Hello. I'm interested in running guests as read-only to turn them into a sort of virtualized "live=cd". The goal is to leave no forensic evidence on the host disk or virtual one which would lead to traces on the host still- similar to how TAILS works but with the added convenince and flexibility of running in a VM. If I set the qcow image to read-only as per the manual, will any changes made during a session be written to disk (or a transient file on disk)?
Peter Krempa
2018-Jun-26 06:22 UTC
Re: [libvirt-users] Read-only Guests for Anti-Forensics
On Sun, Jun 24, 2018 at 23:29:13 +0000, procmem wrote:> Hello. I'm interested in running guests as read-only to turn them into a > sort of virtualized "live=cd". The goal is to leave no forensic evidence > on the host disk or virtual one which would lead to traces on the host > still- similar to how TAILS works but with the added convenince and > flexibility of running in a VM. If I set the qcow image to read-only as > per the manual, will any changes made during a session be written to > disk (or a transient file on disk)?Filesystems such as ext4 require write access to the device so they can play back the journal when mounting. This means that you have to allow writes. If you want to be sure that the writes don't touch any image, you need to create a overlay qcow2 image which will catch the writes and dispose it after the VM is turned off.
Francesc Guasch
2018-Jun-26 14:13 UTC
Re: [libvirt-users] Read-only Guests for Anti-Forensics
On 26/6/18 08:22, Peter Krempa wrote:> On Sun, Jun 24, 2018 at 23:29:13 +0000, procmem wrote: >> Hello. I'm interested in running guests as read-only to turn them into a >> sort of virtualized "live=cd". The goal is to leave no forensic evidence> If you want to be sure that the writes don't touch any image, you need > to create a overlay qcow2 image which will catch the writes and dispose > it after the VM is turned off. >Shameless plug here, our tool, built on top of libvirt, has been used for this very same purpose. You can create a base, then clone it easily ,do your things, then erase it. You can even create volatile clones, that get removed automatically on shutdown. It does it internally with qcow overlays as Peter advises there. Anyway the underlying disk drive may contain traces of the deleted filesystems. If you want to get rid of those too, you should wipe them somehow. We advertise it as VDI tool but nothing stops you from using it with any kind of OS. https://ravada.upc.edu/