What traces are left after booting by usb?

boot usb hard-drive security drive

8,054

Solution 1

Many disks store a counter of power-on cycles, readable via SMART. (For example, in Windows one could use CrystalDiskInfo -- in all these screenshots you can read the "Power On Count" on the right hand side of the window https://www.google.com/search?q=crystaldiskinfo&source=lnms&tbm=isch)

This counter will be sensitive to booting off a different disk, but it won't be specific (the counter would also increase for entry to the BIOS setup screen, or a case where power was turned off again before loading the OS).

Because this counter is controlled by the drive's electronics, there is nothing that the Ubuntu software on the USB stick can do to prevent it from updating. It might be possible in some cases to clear or re-write the counter, but this would be specific to the disk model / firmware version and clearing the counter would still be detectable.

Some system BIOSes also keep a log of system events. I haven't seen one that records booting from removable media, but it is certainly feasible.

Of course you may also leave physical traces on the USB port itself, such as disturbing an oxidation layer.

Solution 2

Is it true that a bootable Ubuntu USB drive does not allow anything to be written to the computer's hard drive?

No. You can mount the disks and write all over them. After all, the USB stick is the main way Ubuntu users install Ubuntu for the first time.

But by default, Ubuntu won't mount anything you don't tell it to.

So if you didn't mount whatever partition "C:" is in reality, it would leave no trace of having been booted to Ubuntu.

Solution 3

Answer to 1.:

Ubuntu USB boot normally not even mounts the HDD/SSD of your system, and if mounted, it is read-only unless you tell Ubuntu to treat it as read and write.

Answer to 2.:

There will be no trace of an USB session unless you write to your HDD/SSD (see answer 1).

Solution 4

Be very careful of some answers on this page, It is very easy to write to and/or destroy the data on your internal drive(s) when running off of a Live or Persistent flashdrive..

I am using a pendrive install to write this, when I kook at Unity I see all of my internal partitions are mounted.

If I open gparted and want to modify, format or delete a partition, It generally first needs to be un-mounted.

While in gparted nothing needs to be un-mounted to create a new partition table and wipe the internal drive.

It can also be very dangerous to use dd from a flash drive, one very small error and everything on any drive can be wiped.

The answer to your second question is true, there may be no trace left of your bootable USB session or anything else.

No password is required for root permission on most Live and Persistent USB drives

Live and persistent installs are safe enough but learn the risks.

Solution 5

A live Ubuntu USB session leaves no traces whatsoever on the hard drive of the computer it is booted on unless Ubuntu is installed on the hard drive from the live USB session, and installing Ubuntu from an Ubuntu live USB or making changes to the computer's hard drive is not necessary, only optional.

View more solutions

8,054

Seeker

Updated on September 18, 2022

Comments

Seeker over 1 year
1. Is it true that a bootable Ubuntu USB drive does not allow anything to be written to the computer's hard drive?
2. If so, would a computer with an SSD drive, like mine, also be left with no trace of a bootable USB session?
Seeker over 7 years

I am understanding from these good answers that SSD drives are just as immune to unwanted traces as HDD drives when booting by USB. Nice to know.
Videonauth over 7 years

Well if you write to your SSD then there might be traces too, thought that it was needless to say but will update my answer accordingly.
Soren A over 7 years

You can mount and write on local disks, without installing Ubuntu, so your answer is wrong.
Soren A over 7 years

I would say that there are no difference in immunity to unwanted traces between SSD and HDD .
kasperd over 7 years

Does this remain true of there is a usable swap partition on the SATA drive?
MSalters over 7 years

@kasperd: systemd-gpt-auto-generator will check a GPT and auto-detect swap partitions, but it only checks the "root disk". It would be rather bad if a system accidentally used swap space from a removable volume. But you can rely on the root volume being non-removable.
kasperd over 7 years

@MSalters Does that mean it looks for swap partitions on the same disk as the root file system but not on any other disks?
MSalters over 7 years

@kasperd: That's at least how I read the documentation. But keep in mind that there's some trickery going on during boot with initramfs and switch_root (or initrd and pivot_root) which may be slightly different for some USB-based distro's.
Byte Commander over 7 years

I tested on a VM with Ubuntu 16.04 (64 bit, UEFI mode) installed which has a separate 4GB swap partition. Booting that VM from a 16.04 iso image (installation/live DVD) will result in a live system with the disk's swap partition mounted and activated automatically. I don't know how the live system decides which swap partitions to mount, but it definitely does it sometimes.
ianorlin over 7 years

@Bytecommander on the server and lubuntu alternate and mini command line install When you install it asks to unmount drives already in use so it does use it.
Meninx - メネンックス over 7 years

When I boot a Live or persistent flash drive most all partitions on the computer are already mounted. In gparted it is necessary to unmount most partitions before deleting, formatting, or shrinking. It is not necessary to unmount anything to create a new partition table and wipe the internal drive.
heemayl over 7 years

this counter is controlled by the drive's electronics precisely the disk firmware.
mckenzm over 7 years

If it uses the swap partition, too bad if hibernation data was stored in it.
mckenzm over 7 years

Of course it has be cycled, a reboot does not count ?
mckenzm over 7 years

In fact one of the popular reasons for mounting a live distro is to re-image the internal disk from a clone or a master, and if it is a windows disk, to delete or rename certain files. It is, however, possible to leave no trace. If in doubt, open the box and unplug the disk.
Meninx - メネンックス over 7 years

My understanding is that a Persistent/Live install starts looking for a casper-rw partition starting with sda then works it way through the alphabet, I believe this is also true for swap.
Ben Voigt over 7 years

@mckenzm: Depending on the power system design, a reboot might or might not involve briefly removing power from peripherals such as disks, and depending on the disk controller design, there might be sufficient capacitance to carry it through a short removal of power.
Jonas Schäfer over 7 years

The information (warning) about swap should be edited into the answer.
Seeker over 7 years

Would you be so kind as to translate that into layman's language? The question I sought to have answered, qualified now in response to this flood of answers, was simply this: if I run Ubuntu on a USB and do nothing whatsoever to access the computer's HDD or SSD, can any trace of my activity be leaked onto them?
Meninx - メネンックス over 7 years

As long as the computer does not have a swap partition, a casper-rw partition, you are careful where you save things, you do not use gparted, boot-repair, click the install icon, type "sudo" or "dd" or try to back anything up, you should be OK. If it as a Live USB, (without persistence), and the internal drive is Windows just don't type "sudo" or use any utilities.
Admin over 7 years

@C.S.Cameron You're comment above is the actual answer: As longer as there are no swap or casper-rw and nothing else gets mounted, explicitly or inadvertently, a live session won't touch the internal drives. Otherwise, it may, may being the operative word here. Even so, swap is not preserved and any traces of usage during a live session aren't "visible" to anyone but forensic specialists.
Meninx - メネンックス over 7 years

The answer to the OP's question No 1 is, no it is not true, Ubuntu does allow things to be written to a computer's hard drive. No 2 is also not true, the computer can be left with many traces of the USB session, including a new operating system. The OP has qualified his question and the new answer is, that the internal drive is safe as long as the user is careful and knows what he is doing, I wiped out the hard on a work computer just one month ago, but I am not careful and I like to experiment.
Meninx - メネンックス over 7 years

Thank you CelticWarrior I have added that comment to my answer.