Detecting root kits and backdoors using a virtual machine

[Michael Torrie]

The other day it occurred to me that a virtual machine could be of use
to scan a computer for backdoors and root kits without taking the
machine in question down.  This would be useful for dealing with a
machine that you have no physical access too, and cannot be booted into
knoppix easily (in a data center for example).  It might be possible to
install vmware-player, for example, boot up a live CD ISO, and then grab
the raw disk from the host and go through the file systems on the host
machine in a read-only fashion, looking for these tell-tail traces.
Probably the best way to do that would be to access the partitions using
userspace tools rather than mounting the disk, although maybe you could
force a read-only mount of an already-mounted file system (ext3 say).
Using the userspace tools it might be easier to find inodes that are in
use but deleted (a common method of hiding a trojan).

Can one mount ext3 read-only if it is already marked as being mounted
somewhere else?  Do ext3 userspace tools already exist (say like mtools
for fat)?  Any thoughts on the viability of this idea?  I believe it
would be difficult for a rootkit to operate at a raw block-device level.

Michael