Building a Stealth PC
(Last updated 14 Nov 2013)
A stealth PC lets you surf the web, do your social media, read email,
and a lot of other on-line activities, then power down and leave no
local trace of your activities. The websites you visited may have
a record of your activities, but there will be little or no sign on
your machine of what you've done or where you've been. No
malware, no keyloggers, no add-ons, no plug-ins; nothing.
You can build a stealth PC from nearly any kind of computer, but a
laptop works best. As for the rest of the equipment you need,
here's the whole list.
PC Ideally a laptop, with
at least 1 GB of RAM, though you can actually get by with as little as
256 MB, depending on your uses. Note that you will be removing
the hard drive from this PC, so if you can get a deal on a working PC
with no hard drive, go for it.
SD/SDHC/microSDHC card
Just about anything over 256 MB will do, and speed is not an
issue. I would go with a major brand; I usually use SanDisk,
though I've had good luck with others, as well.
USB SD reader/writer
Again, stick with a name brand; IOGear and Vivitar work for me.
An SD locker This is a
small device that can change the TMP_WRITE_PROTECT bit in the CSD
register of a valid SD card. You can find plans for just such a
device here on my website.
A small Linux distro that can run on a
RAM disk I can definitely recommend Puppy Linux for this;
I'm using Precise Puppy (5.7.1), Retro version.
I started my research on stealth PCs because of a recent seminar I
attended on digital forensics. The instructor described many ways
that information can be pulled from a PC after use, and showed how he
reconstructed emails and web browsing history from a confiscated laptop
as part of an earlier case. The seminar left me wondering what it
would take to create a PC that left no local trace of its use.
The result of my research follows.
Here you see a Vivitar USB-to-SD card adapter at the top, with two
different
versions of SDHC cards below. The microSD card (left) and
associated adapter (center) create an 8 GB SDHC card usable for a
stealth PC. For this build, I used the standard-size SanDisk 8 GB
SDHC card on the right.
Here is the adapter plus SDHC card, installed in the Acer laptop and
ready
to boot. Once the BIOS settings are updated to boot from USB
before searching the hard drive, a reboot will load and run the image
from the SDHC card. At this point, you can actually remove the
PC's hard drive; it won't be needed for the
stealth PC, and removing it could save you from inadvertently
scrambling its contents later.
Here you see my working stealth PC kit. Left to right in front is
the IOGear USB adapter, a spare microSDHC adapter, and my working
microSDHC Puppy boot card. Behind them are the HP nx6325 laptop,
with the SD locker device open and resting on the keyboard. All
of the small bits fit neatly in the SD locker's Altoids box, which in
turn fits in my pocket. Have stealth PC, will travel.
The following sections describe how I built the current version of my
stealth PC and provide tips on changes you might want to make when
building yours.
Set up the PC
I used two PCs in this project. I started with an Acer Extensa
5620 laptop for my initial tests. But this is my portable
embedded dev machine and I didn't want to pull the hard drive from
it. So I headed to RE-PC in Tukwila (south of Seattle) and
checked out some of their refurb laptops. I ended up with an HP
nx6325 laptop with 2 GB of RAM, in very good shape, for $60.
Perfect for a stealth PC!
Whichever PC you choose, it must support booting from a USB
drive. This shouldn't be a problem with anything from the last
five years or so, but be sure to check.
After I got the HP home, I powered it up to check it out. It
booted fine but the fan was REALLY loud, far louder than I wanted to
endure. I hit the HP site for tips and one of the techs had
posted a comment about blowing compressed air into the box.
Seemed silly but it was easy to try. I was surprised when it
worked perfectly! The key is to NOT open or disassemble the
laptop. Just aim the compressed air into the open vents in the
side of the case and give about a five-second shot into each major
vent. I hit the large vent over the fan with a few seconds
extra. When I powered up the laptop, the fan was so quiet that I
had to put my head down near the vent even to tell that the fan was
turning. Great tip!
Finally, I turned the laptop over, undid the cover over the hard drive,
and carefully removed the drive. It won't be needed for the
stealth PC and it is simply an extra load on the power supply and an
extra landing zone for malware.
Loading Puppy
I stopped by the Puppy
Linux
site and downloaded the PrecisePuppy 5.7.1 Retro ISO image. At
200 MB, this release is much larger than the Standard version, but its
collection of drivers supports a wider array of hardware, includng some
really old stuff, like analog modems. If you want, you can
download both versions and play around with them; you might find the
Standard release works fine for you.
I burned the ISO image to a blank CD. Since I was working on a
Mac, I opened Disc Utility, selected the .iso image, then burned that
image to a CD to create my Puppy Linux live CD. In the Windows
world, use a suitable CD burning tool to create your live CD.
I put my new Puppy Linux live CD in the HP laptop. This machine
has 2 GB of RAM. Puppy runs from
RAM after booting and the Retro version needs about 200 MB of
RAM, so there's plenty of space left over on the RAM drive for apps.
When I booted Puppy from the CD, I ended up in a very friendly setup
procedure. Actually, I was pretty amazed at how careful and
methodical the Puppy developers made this setup. Tasks such as
defining your keyboard, time zone and screen resolution were handled in
a simple setup wizard, with lots of text explaining alternative choices
and how you can change your settings later. I've used several
Linux distros in the past and this setup was by far the most helpful
and easiest.
Once I got to the Puppy desktop, I clicked (single-click, for you
Windows users!) the Install icon in the upper-left area of the
desktop. This opened an application for doing either of two kinds
of installs. You use this same app for installing the full Puppy
Linux to an alternate device, or for starting the Package Manager for
adding applications to your Puppy system. In my case, I chose the
first option offered, and clicked the button to start the Universal
Installer.
I plugged in my USB device, which was a Vivitar USB to SDHC adapter,
holding a SanDisk 8 GB SDHC card. Using the prompts offered by
the Universal Installer, I selected USB Flash drive as my media, then
selected the drive (only one was offered, /dev/sda). Note that
Puppy helps avoid serious mistakes here. You are only presented
with media of the type you selected; you cannot accidentally install to
another device, such as your hard drive. A small point, perhaps,
but other distros don't offer this protection, and this is a nice touch
for noobs.
Puppy then scanned my USB drive and reported its current
partitioning. The SD card had two partitions on it, a small vfat
and a larger ext4. The Installer offered me the option to modify
the partitioning. Since I wanted a single ext2 partition, I
clicked the button for changing the partitions. (I chose ext2
because that file system is not journaled. Journaled file systems
can leave multiple copies of data in your files, making it almost
impossible to wipe or shred files completely. See below for more
details.)
The Installer launched the GParted partition editor, along with a large
text file explaining some of the choices available in GParted (again, a
nice touch for noobs). In the GParted window, I clicked
Device/Create Partition Table, then clicked OK to create a single
MS-DOS partition table for the SD card.
Next task is to format the partition to ext2. I
right-clicked in
the partition description near the bottom of the table (where the words
unallocated appear), then selected New. I was offered a page for
selecting the layout and type of the new partition. I chose ext2
but left the other options unchanged, giving me a single ext2 partition
that spanned the entire SD card. I then clicked Add, which
returned me to the main GParted window.
This makes a pending task, that of creating the partition. To
execute this task and actually create the partition, I then clicked
Apply. After a bit of churning, my SD card was ready. I was
done with GParted at this point, so I exited the utility. This
returned me to the Installer.
Now the Installer showed me that /dev/sda contained an 8 GB ext2
partition and offered to install Puppy Linux to that device. I
clicked the top button in the window to start the install. When
prompted to choose the source of the Puppy files, I clicked the CD
button (make sure you have the CD in the drive when you do this).
The Installer then asked about the master boot record (MBR). I
chose the mbr.bin option, based on the comments provided. Puppy
offers several notes about changes you might
want to make; again, very friendly advice.
At this point, the Installer noticed a problem; I had not set the boot
flag when I created the ext2 partition (doh!). So the Installer
offered me the option of going back into GParted to fix the
problem. The Installer even told me exactly what I needed to do
in GParted. I set the boot flag, exited GParted, and the
Installer continued. Note that some other distros would have
simply
continued with the intall, leaving you with an SD card that
mysteriously wouldn't boot. If you didn't know enough to check
the boot flag, you would have been in for a very frustrating experience.
I saw a couple of windows, each providing information on the next step
and requiring a keyboard response. One in particular prompted me
to set up the SD card so Puppy was moved into RAM on boot; be sure to
accept this option. After a lot of churning and writing, my SD
card installation was complete. To test the install, I clicked
Menu/Shutdown/Reboot computer.
At this point, Puppy offered to set up a save area on the SD
card. This save area is where you will later (optionally) store
any changes you have made to the Puppy system. Remember that
Puppy runs in RAM, so any changes, such as adding an application or
changing browser settings, will
also live in RAM and will disappear when you power-cycle your
machine. To retain these changes, Puppy must write them to a save
area, usually on your USB device. Puppy offered me several
choices for setting up my save area. I went with a 4 GB area on
my SD card, adding the text "karl" to the name of the save file.
Note that writing the save file the first time can take
several minutes; just be patient.
In the future, when I power-down the computer, Puppy will automatically
update my save file PROVIDED
that I don't have the TMP_WRITE_PROTECT bit set on the SD card.
This
means that I can clear the bit to save changes I've made to the system
if I choose, or I
can leave the TMP_WRITE_PROTECT set and prevent Puppy from modifying my
SD card
image.
Note that the Puppy desktop also includes a big, red Save button.
You can click this at any time during your session to do an immediate
save, again assuming the TMP_WRITE_PROTECT bit on your SD card is
cleared.
Note also that if you leave the TMP_WRITE_PROTECT bit set and shut down
Puppy,
Puppy whines about not being able to write to the SD card, but
continues the shut-down; the system doesn't hang, waiting for the drive
to become magically writeable.
So using Puppy as part of a stealth PC is easy. Do your install,
then do a shut down, which lets you create the initial save file.
From then on, boot Puppy with the SD card's TMP_WRITE_PROTECT bit
set. If you need
to do a save at any point, just clear the TMP_WRITE_PROTECT bit, do the
save,
then set the TMP_WRITE_PROTECT bit. If you don't intend to save
your
session at all, you can
even remove the SD card after Puppy finishes loading its image
into RAM; if you later shut down, Puppy will complain that the SD card
disappeared, but will still shut down gracefully.
Note that removing the SD card is preferable to removing the USB
device. Should you ever need to reinstall the USB adapter in the
same
session, it will enumerate as a new drive. This could confuse
Puppy or some applications, as they would be expecting the original
drive identifier. Removing and reinstalling the SD card does not
change the USB device's enumeration.
More about the TMP_WRITE_PROTECT bit
The TMP_WRITE_PROTECT bit is part of a register found in all SD cards
that conform to the SD Group's specification. Although some OSes
support access to this bit, I don't know of one that allows simple
set/clear access. Besides, you really want to use a separate
device to manipulate this bit, to avoid inadvertant modification to
your SD card by other applications.
The SD locker mentioned above has only two functions; it sets or it
clears the TMP_WRITE_PROTECT bit. It is a standalone,
battery-powered device, housed in an Altoids box. If you are good
with soldering and have a well-stocked parts bin, you should be able to
build a similar device in a weekend or two. Note that the page
linked above includes schematic and full source code.
Please note that the little slide switch on the SD/SDHC cards is NOT a
write-lock switch, no matter how it is labeled. And yes, I know
that you can slide that to the LOCK position and Windows will refuse to
format the card if you put it into your laptop's SD card slot.
But according to the SD Group's specification, the switch explicitly
does NOT connect to any electronics in the card. Windows claims
that it isn't modifying the card because it is write-locked, but
applications outside of Windows, or other OSes, can choose to ignore
the write-lock tab and modify the SD card anyway.
From now on, when I refer to an SD card being write-locked, I mean that
the TMP_WRITE_PROTECT bit is set. Just ignore the write-lock tab
on your SD card; it's useless for a stealth PC.
Installing new software
Puppy offers a nicely designed package manager, which you can use to
install new software. You can find the package manager from the
Menu button in the bottom-left corner of the screen. Just select
Menu/Setup/Puppy Package Manager. You will be offered a search
box (Find:) where you can type in information on the package you might
like to add. For example, entering "mp3 player" brings up seven
different packages, including a full-screen mp3 player, a song
librarian, and a command-line interface to the Diamand Rio
player. If you know specifically what you want to install, you
can type that into the Find: window, as well. For example,
entering "vlc" brings up several packages, including the full VLC
multimedia playback app (version 2.0.8, in my case).
The Puppy package installation process is simple, friendly (seems like
I use that word a lot), and seems robust. However, you need to be
aware of an artifact of running Puppy from live CD or live USB, as I've
described below.
The Puppy Package Manager (PPM) uses a database of apps to determine
the dependencies for each app you try to download. The PPM
assumes that this database is resident on your machine. But if
the database on your machine is stale, which is very likely, given that
you are probably booting from either a live CD or a live USB created
from a CD, trying to install a popular app will likely fail because the
dependencies won't be correctly resolved.
You get around this problem in the PPM by clicking the "Configure
package manager" button, then clicking "Update now" to download the
newest version of the database to your machine. Once your machine
has the newest database, you should be able to install any package you
can find in the PPM. If you are new to installing packages, I
suggest you try a couple just to practice.
For example, I typed "basic" into the Find box and clicked Go.
The PPM showed several packages with "basic" in the description,
including the Bywater BASIC interpreter. I selected that package
in the right-hand window of the PPM display, and the PPM popped up a
preinstall window, telling me that all of the dependencies for this
program were already satisfied on my system. I then clicked the
Install button at the bottom of the window. The PPM then offered
me a choice of URLs from which to install; I stayed with the default
choice (archive.ubuntu.com) and clicked "Download packages". The
PPM did some fast window flashing, and two seconds later, a pop-up
announced that the Bywater BASIC interpreter had been installed on my
system; I clicked "OK" to remove the window. The PPM then did a
quick check for any missing dependencies, found none, and gave me an OK
button to click.
At this point, the Bywater BASIC interpreter is installed, but there
is no icon on the desktop to click. So I went to the desktop,
clicked the console icon in the upper-left of the screen to get a
command prompt, then typed
"bwbasic". This started the BASIC interpreter. I played
with it for a bit, then entered "quit" to exit. At the console
command prompt, I then typed "whereis bwbasic"; the system informed me
that bwbasic is stored in /usr/bin/bwbasic.
Uninstalling software
OK, I was done playing with
bwbasic. I went back to the PPM and looked through the packages
listed in the lower-right pane of the window. I scrolled to the
bottom of the pane to find bwbasic listed. When I clicked on that
entry, the Puppy Package Manager popped up a window asking if I wanted
to remove bwbasic. I clicked OK, Puppy thought for a couple of
seconds, then the PPM informed me that bwbasic had been removed, a fact
I confirmed by entering "bwbasic" at the command prompt and getting a
"No such file or directory" error.
A side effect of installing software
As I was installing packages, I noticed that Puppy accessed the USB
drive, even though I had not specifically requested a save. I
suspected that Puppy was modifying the USB drive instead of working
solely with the RAM image. To test this theory, I opened a
console window and performed an md5 sum of the USB drive with
md5sum /dev/sda
(the /sda part may be different for your SD card) and jotted down the
last eight digits (note that this operation takes a
few minutes on large SD cards). I installed bwbasic using the
PPM, then returned to the console and reran the above command.
The resulting sum differed from the first sum, so Puppy did indeed
write to the SD card during the install.
I uninstalled bwbasic, confirmed it was removed, then unplugged the USB
drive and reinstalled bwbasic from the PPM. Even though the USB
drive was missing, Puppy installed the app properly and the app ran
from the console as expected. As soon as I reinserted the USB
drive, Puppy did a save of RAM to the device.
Moral of the story is that you can install apps to the RAM version of
your system without touching the USB drive provided you either remove
the SD card or write-lock the card. If you know you're going to
keep whatever app you plan to install, you can just leave the drive in
place, but if you think you might not keep the app and don't want any
writes to your SD card, protect or remove it.
Using your stealth PC image
After you have your SD card contents the way you want them, remove the
card from the USB adapter and write-lock the SD card, then return the
card to the USB adapter; Puppy should pop up an icon for the SD card on
the desktop. From a console in Puppy, generate the md5 sum for
the SD card as above. Jot down at least the last eight digits of
the resulting sum and keep this info with your stealth PC SD card.
So long as you keep the SD card write-locked, this md5 sum should not
change.
Periodically rerun the md5 sum for the SD card and confirm the
resulting sum. If you ever see a difference, some application was
able to modify the write-lock on your card and the contents are now
suspect.
Note that you can boot this SD card in all manner of PCs, not just your
original stealth PC. You can take this SD card and adapter to a
friend's or parent's house and use it in their PC, confident that even
if they have malware on their machine, it won't contaminate your
stealth PC.
There will be times when you want to save something you've found on the
web. Rather than unlock your boot SD card, consider carying
around a small USB flash drive. Note that this will give you a
vector for picking up malware, so there are some risks.
Additionally, there might be traces of your web use left on the flash
drive, even beyond the files you knowingly saved there. Still, if
you need to save something, you certainly don't want to risk corrupting
your boot SD card.
More info on Puppy Linux and security
Puppy Linux running on a RAM drive on my laptop is really
responsive. It has been such a pleasant experience that I
actually prefer this setup for most PC activities short of
gaming. The SeaMonkey browser is quick, Flash videos play
smoothly, sound support is excellent, and the package installer
provides a seamless way to manage apps. Even if you don't need a
stealth PC, Puppy deserves a look as a possible desktop/laptop system,
especially on old boxes with under-powered (by today's standards) CPUs.
The Puppy forums are quite active and filled with excellent information
on all aspects of Puppy. You can even find a 64-bit version of
Puppy, called Fatdog64,
if
you want to try out a 64-bit distro. Note that I haven't tried
Fatdog64 and cannot offer any personal experience.
Puppy is preconfigured to do an auto-save of RAM to the boot device
every 30 minutes. To disable this auto-save feature, use
Menu/System/Puppy Event Manger/Save Session, set the interval to 0
(never), then click OK. Remember to do a save (click the Save
icon on the desktop) to a write-enabled SD card to keep this setting.
Here is a discussion of using an earlier version of Puppy for secure
banking and browsing: http://www.ciphersbyritter.com/COMPSEC/ONLSECP5.HTM
That link also includes some excellent information on hardening
your browser, making it less vulnerable to malicious downloads and web
links. Even though you will likely be surfing with the write-lock
enabled, there's no sense risking contamination of your RAM image if
you can avoid it.
Consider modifying Puppy's hosts file, as a kind of first line of
defense while web browsing. You can find the hosts file in
/etc/hosts. This is a simple text file containing several lines
of information. Each line consists of an IP address, usually
127.0.0.1, followed by at least one space and an URL. The hosts
file lets you deny access to URLs before Puppy even tries to look up an
address. For example, if you add the line:
127.0.0.1 ad.doubleclick.net
to your hosts file, any website you hit that tries to reach that URL
will be denied access by Puppy. This isn't a firewall and it
isn't a foolproof guard against picking up malware, but it can cut down
on some of the crap you have to wade through while surfing. Be
sure to remove the write-lock from your SD card and save the changes
you make to the hosts file, then relock the card.
There has been a lot of web discussion on using ext2, ext3, and other
file systems securely. Much of the discussion involves ext3 and
other journaling file systems, which complicate the ability to erase
data from files. The gist of the argument is that while you can
erase all the contents of a file on a journaled system, copies of the
data may still be available in other parts of the file system that are
not explicitly part of the erased file. This means that (some or
all of) the file's contents can be recovered. You can find some
discussions here,
here,
and
here,
for
starters.
The
last
link
is
to the Stanford labs and discusses
a program called scrub, which is available in the Puppy Package
Manager. I intentionally chose to use an ext2 file system on my
Puppy install to avoid the journaling issue.
Finally, there has been much discussion on the web about recovering
forensic data from a PC's SDRAM, even following power-cycling.
The theory seems to be that the RAM retains some state information over
time, even when no power is applied. To that end, there are
utilities on the web such as the secure-delete suite that include
programs for zero-filling a RAM disk image before shutdown. I
have not (yet) explored these tools, mostly because I currently have no
way of reading the RAM on bootup to check for data. It's an
intriguing area of research. The forensics seminar touched
briefly on tools for pulling data from RAM, and since the forensics
team would most likely get a box that had been powered down for some
time, perhaps there's something to the theory.
Home