[libvirt-users] Read-only Guests for Anti-Forensics
Francesc Guasch
frankie at telecos.upc.edu
Tue Jun 26 14:13:26 UTC 2018
On 26/6/18 08:22, Peter Krempa wrote:
> On Sun, Jun 24, 2018 at 23:29:13 +0000, procmem wrote:
>> Hello. I'm interested in running guests as read-only to turn them into a
>> sort of virtualized "live=cd". The goal is to leave no forensic evidence
> If you want to be sure that the writes don't touch any image, you need
> to create a overlay qcow2 image which will catch the writes and dispose
> it after the VM is turned off.
>
Shameless plug here, our tool, built on top of libvirt, has been
used for this very same purpose. You can create a base, then clone
it easily ,do your things, then erase it. You can even create volatile
clones, that get removed automatically on shutdown.
It does it internally with qcow overlays as Peter advises there.
Anyway the underlying disk drive may contain traces of the deleted
filesystems. If you want to get rid of those too, you should wipe them
somehow.
We advertise it as VDI tool but nothing stops you from using it
with any kind of OS. https://ravada.upc.edu/
More information about the libvirt-users
mailing list