Building a Stealth PC
(Last updated 14 Nov 2013)

A stealth PC lets you surf the web, do your social media, read email, and a lot of other on-line activities, then power down and leave no local trace of your activities.  The websites you visited may have a record of your activities, but there will be little or no sign on your machine of what you've done or where you've been.  No malware, no keyloggers, no add-ons, no plug-ins; nothing.

You can build a stealth PC from nearly any kind of computer, but a laptop works best.  As for the rest of the equipment you need, here's the whole list.

PC  Ideally a laptop, with at least 1 GB of RAM, though you can actually get by with as little as 256 MB, depending on your uses.  Note that you will be removing the hard drive from this PC, so if you can get a deal on a working PC with no hard drive, go for it.

SD/SDHC/microSDHC card  Just about anything over 256 MB will do, and speed is not an issue.  I would go with a major brand; I usually use SanDisk, though I've had good luck with others, as well.

USB SD reader/writer  Again, stick with a name brand; IOGear and Vivitar work for me.

An SD locker  This is a small device that can change the TMP_WRITE_PROTECT bit in the CSD register of a valid SD card.  You can find plans for just such a device here on my website.

A small Linux distro that can run on a RAM disk  I can definitely recommend Puppy Linux for this; I'm using Precise Puppy (5.7.1), Retro version.

I started my research on stealth PCs because of a recent seminar I attended on digital forensics.  The instructor described many ways that information can be pulled from a PC after use, and showed how he reconstructed emails and web browsing history from a confiscated laptop as part of an earlier case.  The seminar left me wondering what it would take to create a PC that left no local trace of its use.  The result of my research follows.

USB-to-SD card adapter and cards

Here you see a Vivitar USB-to-SD card adapter at the top, with two different versions of SDHC cards below.  The microSD card (left) and associated adapter (center) create an 8 GB SDHC card usable for a stealth PC.  For this build, I used the standard-size SanDisk 8 GB SDHC card on the right.

Ready to boot

Here is the adapter plus SDHC card, installed in the Acer laptop and ready to boot.  Once the BIOS settings are updated to boot from USB before searching the hard drive, a reboot will load and run the image from the SDHC card.  At this point, you can actually remove the PC's hard drive; it won't be needed for the stealth PC, and removing it could save you from inadvertently scrambling its contents later.

My stealth PC tools

Here you see my working stealth PC kit.  Left to right in front is the IOGear USB adapter, a spare microSDHC adapter, and my working microSDHC Puppy boot card.  Behind them are the HP nx6325 laptop, with the SD locker device open and resting on the keyboard.  All of the small bits fit neatly in the SD locker's Altoids box, which in turn fits in my pocket.  Have stealth PC, will travel.

The following sections describe how I built the current version of my stealth PC and provide tips on changes you might want to make when building yours.

Set up the PC
I used two PCs in this project.  I started with an Acer Extensa 5620 laptop for my initial tests.  But this is my portable embedded dev machine and I didn't want to pull the hard drive from it.  So I headed to RE-PC in Tukwila (south of Seattle) and checked out some of their refurb laptops.  I ended up with an HP nx6325 laptop with 2 GB of RAM, in very good shape, for $60.  Perfect for a stealth PC!

Whichever PC you choose, it must support booting from a USB drive.  This shouldn't be a problem with anything from the last five years or so, but be sure to check.

After I got the HP home, I powered it up to check it out.  It booted fine but the fan was REALLY loud, far louder than I wanted to endure.  I hit the HP site for tips and one of the techs had posted a comment about blowing compressed air into the box.  Seemed silly but it was easy to try.  I was surprised when it worked perfectly!  The key is to NOT open or disassemble the laptop.  Just aim the compressed air into the open vents in the side of the case and give about a five-second shot into each major vent.  I hit the large vent over the fan with a few seconds extra.  When I powered up the laptop, the fan was so quiet that I had to put my head down near the vent even to tell that the fan was turning.  Great tip!

Finally, I turned the laptop over, undid the cover over the hard drive, and carefully removed the drive.  It won't be needed for the stealth PC and it is simply an extra load on the power supply and an extra landing zone for malware.

Loading Puppy
I stopped by the Puppy Linux site and downloaded the PrecisePuppy 5.7.1 Retro ISO image.  At 200 MB, this release is much larger than the Standard version, but its collection of drivers supports a wider array of hardware, includng some really old stuff, like analog modems.  If you want, you can download both versions and play around with them; you might find the Standard release works fine for you.

I burned the ISO image to a blank CD.  Since I was working on a Mac, I opened Disc Utility, selected the .iso image, then burned that image to a CD to create my Puppy Linux live CD.  In the Windows world, use a suitable CD burning tool to create your live CD.

I put my new Puppy Linux live CD in the HP laptop.  This machine has 2 GB of RAM.  Puppy runs from RAM after booting and the Retro version needs about 200 MB of RAM, so there's plenty of space left over on the RAM drive for apps.

When I booted Puppy from the CD, I ended up in a very friendly setup procedure.  Actually, I was pretty amazed at how careful and methodical the Puppy developers made this setup.  Tasks such as defining your keyboard, time zone and screen resolution were handled in a simple setup wizard, with lots of text explaining alternative choices and how you can change your settings later.  I've used several Linux distros in the past and this setup was by far the most helpful and easiest.

Once I got to the Puppy desktop, I clicked (single-click, for you Windows users!) the Install icon in the upper-left area of the desktop.  This opened an application for doing either of two kinds of installs.  You use this same app for installing the full Puppy Linux to an alternate device, or for starting the Package Manager for adding applications to your Puppy system.  In my case, I chose the first option offered, and clicked the button to start the Universal Installer.

I plugged in my USB device, which was a Vivitar USB to SDHC adapter, holding a SanDisk 8 GB SDHC card.  Using the prompts offered by the Universal Installer, I selected USB Flash drive as my media, then selected the drive (only one was offered, /dev/sda).  Note that Puppy helps avoid serious mistakes here.  You are only presented with media of the type you selected; you cannot accidentally install to another device, such as your hard drive.  A small point, perhaps, but other distros don't offer this protection, and this is a nice touch for noobs.

Puppy then scanned my USB drive and reported its current partitioning.  The SD card had two partitions on it, a small vfat and a larger ext4.  The Installer offered me the option to modify the partitioning.  Since I wanted a single ext2 partition, I clicked the button for changing the partitions.  (I chose ext2 because that file system is not journaled.  Journaled file systems can leave multiple copies of data in your files, making it almost impossible to wipe or shred files completely.  See below for more details.)

The Installer launched the GParted partition editor, along with a large text file explaining some of the choices available in GParted (again, a nice touch for noobs).  In the GParted window, I clicked Device/Create Partition Table, then clicked OK to create a single MS-DOS partition table for the SD card.

Next task is to format the partition to ext2.  I right-clicked in the partition description near the bottom of the table (where the words unallocated appear), then selected New.  I was offered a page for selecting the layout and type of the new partition.  I chose ext2 but left the other options unchanged, giving me a single ext2 partition that spanned the entire SD card.  I then clicked Add, which returned me to the main GParted window.

This makes a pending task, that of creating the partition.  To execute this task and actually create the partition, I then clicked Apply.  After a bit of churning, my SD card was ready.  I was done with GParted at this point, so I exited the utility.  This returned me to the Installer.

Now the Installer showed me that /dev/sda contained an 8 GB ext2 partition and offered to install Puppy Linux to that device.  I clicked the top button in the window to start the install.  When prompted to choose the source of the Puppy files, I clicked the CD button (make sure you have the CD in the drive when you do this).

The Installer then asked about the master boot record (MBR).  I chose the mbr.bin option, based on the comments provided.  Puppy offers several notes about changes you might want to make; again, very friendly advice.

At this point, the Installer noticed a problem; I had not set the boot flag when I created the ext2 partition (doh!).  So the Installer offered me the option of going back into GParted to fix the problem.  The Installer even told me exactly what I needed to do in GParted.  I set the boot flag, exited GParted, and the Installer continued.  Note that some other distros would have simply continued with the intall, leaving you with an SD card that mysteriously wouldn't boot.  If you didn't know enough to check the boot flag, you would have been in for a very frustrating experience.

I saw a couple of windows, each providing information on the next step and requiring a keyboard response.  One in particular prompted me to set up the SD card so Puppy was moved into RAM on boot; be sure to accept this option.  After a lot of churning and writing, my SD card installation was complete.  To test the install, I clicked Menu/Shutdown/Reboot computer.

At this point, Puppy offered to set up a save area on the SD card.  This save area is where you will later (optionally) store any changes you have made to the Puppy system.  Remember that Puppy runs in RAM, so any changes, such as adding an application or changing browser settings, will also live in RAM and will disappear when you power-cycle your machine.  To retain these changes, Puppy must write them to a save area, usually on your USB device.  Puppy offered me several choices for setting up my save area.  I went with a 4 GB area on my SD card, adding the text "karl" to the name of the save file.

Note that writing the save file the first time can take several minutes; just be patient.

In the future, when I power-down the computer, Puppy will automatically update my save file PROVIDED that I don't have the TMP_WRITE_PROTECT bit set on the SD card.  This means that I can clear the bit to save changes I've made to the system if I choose, or I can leave the TMP_WRITE_PROTECT set and prevent Puppy from modifying my SD card image.

Note that the Puppy desktop also includes a big, red Save button.  You can click this at any time during your session to do an immediate save, again assuming the TMP_WRITE_PROTECT bit on your SD card is cleared.

Note also that if you leave the TMP_WRITE_PROTECT bit set and shut down Puppy, Puppy whines about not being able to write to the SD card, but continues the shut-down; the system doesn't hang, waiting for the drive to become magically writeable.

So using Puppy as part of a stealth PC is easy.  Do your install, then do a shut down, which lets you create the initial save file.  From then on, boot Puppy with the SD card's TMP_WRITE_PROTECT bit set.  If you need to do a save at any point, just clear the TMP_WRITE_PROTECT bit, do the save, then set the TMP_WRITE_PROTECT bit.  If you don't intend to save your session at all, you can even remove the SD card after Puppy finishes loading its image into RAM; if you later shut down, Puppy will complain that the SD card disappeared, but will still shut down gracefully.

Note that removing the SD card is preferable to removing the USB device.  Should you ever need to reinstall the USB adapter in the same session, it will enumerate as a new drive.  This could confuse Puppy or some applications, as they would be expecting the original drive identifier.  Removing and reinstalling the SD card does not change the USB device's enumeration.

More about the TMP_WRITE_PROTECT bit
The TMP_WRITE_PROTECT bit is part of a register found in all SD cards that conform to the SD Group's specification.  Although some OSes support access to this bit, I don't know of one that allows simple set/clear access.  Besides, you really want to use a separate device to manipulate this bit, to avoid inadvertant modification to your SD card by other applications.

The SD locker mentioned above has only two functions; it sets or it clears the TMP_WRITE_PROTECT bit.  It is a standalone, battery-powered device, housed in an Altoids box.  If you are good with soldering and have a well-stocked parts bin, you should be able to build a similar device in a weekend or two.  Note that the page linked above includes schematic and full source code.

Please note that the little slide switch on the SD/SDHC cards is NOT a write-lock switch, no matter how it is labeled.  And yes, I know that you can slide that to the LOCK position and Windows will refuse to format the card if you put it into your laptop's SD card slot.

But according to the SD Group's specification, the switch explicitly does NOT connect to any electronics in the card.  Windows claims that it isn't modifying the card because it is write-locked, but applications outside of Windows, or other OSes, can choose to ignore the write-lock tab and modify the SD card anyway.

From now on, when I refer to an SD card being write-locked, I mean that the TMP_WRITE_PROTECT bit is set.  Just ignore the write-lock tab on your SD card; it's useless for a stealth PC.

Installing new software
Puppy offers a nicely designed package manager, which you can use to install new software.  You can find the package manager from the Menu button in the bottom-left corner of the screen.  Just select Menu/Setup/Puppy Package Manager.  You will be offered a search box (Find:) where you can type in information on the package you might like to add.  For example, entering "mp3 player" brings up seven different packages, including a full-screen mp3 player, a song librarian, and a command-line interface to the Diamand Rio player.  If you know specifically what you want to install, you can type that into the Find: window, as well.  For example, entering "vlc" brings up several packages, including the full VLC multimedia playback app (version 2.0.8, in my case).

The Puppy package installation process is simple, friendly (seems like I use that word a lot), and seems robust.  However, you need to be aware of an artifact of running Puppy from live CD or live USB, as I've described below.

The Puppy Package Manager (PPM) uses a database of apps to determine the dependencies for each app you try to download.  The PPM assumes that this database is resident on your machine.  But if the database on your machine is stale, which is very likely, given that you are probably booting from either a live CD or a live USB created from a CD, trying to install a popular app will likely fail because the dependencies won't be correctly resolved.

You get around this problem in the PPM by clicking the "Configure package manager" button, then clicking "Update now" to download the newest version of the database to your machine.  Once your machine has the newest database, you should be able to install any package you can find in the PPM.  If you are new to installing packages, I suggest you try a couple just to practice.

For example, I typed "basic" into the Find box and clicked Go.  The PPM showed several packages with "basic" in the description, including the Bywater BASIC interpreter.  I selected that package in the right-hand window of the PPM display, and the PPM popped up a preinstall window, telling me that all of the dependencies for this program were already satisfied on my system.  I then clicked the Install button at the bottom of the window.  The PPM then offered me a choice of URLs from which to install; I stayed with the default choice ( and clicked "Download packages".  The PPM did some fast window flashing, and two seconds later, a pop-up announced that the Bywater BASIC interpreter had been installed on my system; I clicked "OK" to remove the window.  The PPM then did a quick check for any missing dependencies, found none, and gave me an OK button to click.

At this point, the Bywater BASIC interpreter is installed, but there is no icon on the desktop to click.  So I went to the desktop, clicked the console icon in the upper-left of the screen to get a command prompt, then typed "bwbasic".  This started the BASIC interpreter.  I played with it for a bit, then entered "quit" to exit.  At the console command prompt, I then typed "whereis bwbasic"; the system informed me that bwbasic is stored in /usr/bin/bwbasic.

Uninstalling software
OK, I was done playing with bwbasic.  I went back to the PPM and looked through the packages listed in the lower-right pane of the window.  I scrolled to the bottom of the pane to find bwbasic listed.  When I clicked on that entry, the Puppy Package Manager popped up a window asking if I wanted to remove bwbasic.  I clicked OK, Puppy thought for a couple of seconds, then the PPM informed me that bwbasic had been removed, a fact I confirmed by entering "bwbasic" at the command prompt and getting a "No such file or directory" error.

A side effect of installing software
As I was installing packages, I noticed that Puppy accessed the USB drive, even though I had not specifically requested a save.  I suspected that Puppy was modifying the USB drive instead of working solely with the RAM image.  To test this theory, I opened a console window and performed an md5 sum of the USB drive with

md5sum /dev/sda

(the /sda part may be different for your SD card) and jotted down the last eight digits (note that this operation takes a few minutes on large SD cards).  I installed bwbasic using the PPM, then returned to the console and reran the above command.  The resulting sum differed from the first sum, so Puppy did indeed write to the SD card during the install.

I uninstalled bwbasic, confirmed it was removed, then unplugged the USB drive and reinstalled bwbasic from the PPM.  Even though the USB drive was missing, Puppy installed the app properly and the app ran from the console as expected.  As soon as I reinserted the USB drive, Puppy did a save of RAM to the device.

Moral of the story is that you can install apps to the RAM version of your system without touching the USB drive provided you either remove the SD card or write-lock the card.  If you know you're going to keep whatever app you plan to install, you can just leave the drive in place, but if you think you might not keep the app and don't want any writes to your SD card, protect or remove it.

Using your stealth PC image
After you have your SD card contents the way you want them, remove the card from the USB adapter and write-lock the SD card, then return the card to the USB adapter; Puppy should pop up an icon for the SD card on the desktop.  From a console in Puppy, generate the md5 sum for the SD card as above.  Jot down at least the last eight digits of the resulting sum and keep this info with your stealth PC SD card.

So long as you keep the SD card write-locked, this md5 sum should not change.

Periodically rerun the md5 sum for the SD card and confirm the resulting sum.  If you ever see a difference, some application was able to modify the write-lock on your card and the contents are now suspect.

Note that you can boot this SD card in all manner of PCs, not just your original stealth PC.  You can take this SD card and adapter to a friend's or parent's house and use it in their PC, confident that even if they have malware on their machine, it won't contaminate your stealth PC.

There will be times when you want to save something you've found on the web.  Rather than unlock your boot SD card, consider carying around a small USB flash drive.  Note that this will give you a vector for picking up malware, so there are some risks.  Additionally, there might be traces of your web use left on the flash drive, even beyond the files you knowingly saved there.  Still, if you need to save something, you certainly don't want to risk corrupting your boot SD card.

More info on Puppy Linux and security
Puppy Linux running on a RAM drive on my laptop is really responsive.  It has been such a pleasant experience that I actually prefer this setup for most PC activities short of gaming.  The SeaMonkey browser is quick, Flash videos play smoothly, sound support is excellent, and the package installer provides a seamless way to manage apps.  Even if you don't need a stealth PC, Puppy deserves a look as a possible desktop/laptop system, especially on old boxes with under-powered (by today's standards) CPUs.

The Puppy forums are quite active and filled with excellent information on all aspects of Puppy.  You can even find a 64-bit version of Puppy, called Fatdog64, if you want to try out a 64-bit distro.  Note that I haven't tried Fatdog64 and cannot offer any personal experience.

Puppy is preconfigured to do an auto-save of RAM to the boot device every 30 minutes.  To disable this auto-save feature, use Menu/System/Puppy Event Manger/Save Session, set the interval to 0 (never), then click OK.  Remember to do a save (click the Save icon on the desktop) to a write-enabled SD card to keep this setting.

Here is a discussion of using an earlier version of Puppy for secure banking and browsing:

That link also includes some excellent information on hardening your browser, making it less vulnerable to malicious downloads and web links.  Even though you will likely be surfing with the write-lock enabled, there's no sense risking contamination of your RAM image if you can avoid it.

Consider modifying Puppy's hosts file, as a kind of first line of defense while web browsing.  You can find the hosts file in /etc/hosts.  This is a simple text file containing several lines of information.  Each line consists of an IP address, usually, followed by at least one space and an URL.  The hosts file lets you deny access to URLs before Puppy even tries to look up an address.  For example, if you add the line:

to your hosts file, any website you hit that tries to reach that URL will be denied access by Puppy.  This isn't a firewall and it isn't a foolproof guard against picking up malware, but it can cut down on some of the crap you have to wade through while surfing.  Be sure to remove the write-lock from your SD card and save the changes you make to the hosts file, then relock the card.

There has been a lot of web discussion on using ext2, ext3, and other file systems securely.  Much of the discussion involves ext3 and other journaling file systems, which complicate the ability to erase data from files.  The gist of the argument is that while you can erase all the contents of a file on a journaled system, copies of the data may still be available in other parts of the file system that are not explicitly part of the erased file.  This means that (some or all of) the file's contents can be recovered.  You can find some discussions here, here, and here, for starters.  The last link is to the Stanford labs and discusses a program called scrub, which is available in the Puppy Package Manager.  I intentionally chose to use an ext2 file system on my Puppy install to avoid the journaling issue.

Finally, there has been much discussion on the web about recovering forensic data from a PC's SDRAM, even following power-cycling.  The theory seems to be that the RAM retains some state information over time, even when no power is applied.  To that end, there are utilities on the web such as the secure-delete suite that include programs for zero-filling a RAM disk image before shutdown.  I have not (yet) explored these tools, mostly because I currently have no way of reading the RAM on bootup to check for data.  It's an intriguing area of research.  The forensics seminar touched briefly on tools for pulling data from RAM, and since the forensics team would most likely get a box that had been powered down for some time, perhaps there's something to the theory.