Anti-forensics

At this time, disposables should not be relied upon to circumvent local forensics, as they do not run entirely in RAM. […]

When it is essential to avoid leaving any trace, consider using Tails.

I am not exactly sure what that means. What is the potential risk here (let’s assume the worst case) for my privacy (even if using Whonix VM)?

How does it look like with AppVMs?

Tails has a persistence mode. Would there still be a difference, if enabled?

Disposable VMs leave traces on your HDD/SSD even after disposal.

Forensics is the art of uncovering those traces. A forensic entity which is able to pull your HDD/SSD key or the passphrase to that key from your RAM, can decrypt your HDD/SSD and search for these traces.

Tails is mounted read-only, a RAM dump might still be uncovering what you were doing but as soon as you shutdown (not unplug from electricity!) your machine, the RAM is erased.

2 Likes

Disposable VMs leave traces on your HDD/SSD even after disposal.

What kind of traces exactly? Suppose I am using Whonix AppVM.

Tails is mounted read-only, a RAM dump might still be uncovering what you were doing but as soon as you shutdown (not unplug from electricity!) your machine, the RAM is erased.

So it’s still traceless even with persistence?

privacy is directly related to security
the potential risk is bad tor route, etc

if you don’t store anything in that, it same

many thing like log,…
in unman note, i found a way to make a dispvm run almost entirely on ram

mostly yes

Hey Thamil, I don’t want to be more rude as usual, but I would like to suggest you use google and do some reading.

Like the Tails manual, what’s the difference between delete and secure wipe and why is it difficult to wipe a SSD.

1 Like

If you’re worried about forensics, don’t do anything extremely sensitive on qubes and instead use tails persistence turned off for the specific sensitive operation and never save the info, learn the powers of verboten dictation which takes practice. There are cognitive memory techniques one can learn to remember, recall and dictate any information word for word.

To protect mildly sensitive operations in Qubes, make sure you keep the Qubes install powered off and unplugged when you’re not in a secure location or there are people around you who could grab your device while it is powered on. If it is powered off and has a 10 - 15 word diceware created passphrase not even a quantum computer could likely crack this. However keep the 10 to 15 words in memory only.

Also depending on who the adversary is, be aware that you may have an extremely secure system, but are your adversaries capable, willing, or would they enjoy brutally torturing your children in front of you in order to compel you to give up the passphrase? If so then look into “plausible deniability” that veracrypt hidden containers offers.

For now since it seems you’re just learning. Seriously don’t do anything sensitive until you get trained in the basics of “Information Security”. There’s tons of free courses on the matter. Get that finished first.

Look to typical classification levels used in most organizations that need to protect information by understanding the consequences to your organization should the stored data some how get leaked. Classified information - Wikipedia

You see in top secret = would cause “exceptionally grave damage” to security.

Secret = material would cause “serious damage” to security.

… And so on.

Does grave damage in your situation possibly mean death? Take the time to write our your own classification based on your unique circumstances. Use your custom designed classifcation levels to build out your Qube OS system and compartmentalized lifestyle according the classifications and risks you’ve taken the time to define.

Looking to these standards and partitioning your life accordingly by also understanding the need and value of compartmentalization which is part of the founding philosophy that has lead to the creation of Qubes. To Qube your life across different computers and to make it convenient by having all these computers in one area, laptop or desktop. But still separated via hardware level virtualization to make it harder for full compromise.

See more about this here: Getting started | Qubes OS

and here: Partitioning my digital life into security domains | The Invisible Things

3 Likes

it better to use searx (i still need google)



iirc, that for windows only

http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/af76301c21e1b4a33851

Veracrypt works fine in both tails and QubesOS as I think there is a debian specific package.

i know, but i heard somewhere that “plausible deniability” only available on windows
and require “trick” to work on other

There’s no trick, full veracrypt options are available for both windows and linux. There’s no difference between other the if you open a hidden container on windows you’ll likely defeat the purpose of the hidden container and leave traces of the contents all over the windows system whereas in tails non-persistent session you’ll leave no traces once it’s powered off.

i understand what you talking about
i’m talking about full os “plausible deniability”, not “hidden container”
Can you see the edit?

The hidden container container feature in veracrypt is what offers the plausible deniability. When creating the hidden container you always create a non-hidden container and fill it with semi-sensitive data. When you’re forced to give your passphrase, you give it for the non-sensitive container, while never giving up your hidden container passphrase. Through mathematical forensics one cannot prove there is a hidden container.

Can you see the edit?

For full OS plausible deniability only open a hidden container offline in tails. I would go as far as saying never use tails persistence, just use hidden containers if you need to save anything or keep it stored in brain memory.

Don’t use qubes or any other OS for any sort of plausible deniability.

i don’t understand?

why don’t, i’m using qubes os with plausible deniability
http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/af76301c21e1b4a33851

3 Likes

Wow great share. I’ll look into this.

But I think for OP this would beyond their level at the moment.

But thanks for sharing.

That’s here
This works fine for 4.0 and creates a RAM based storage pool to hold a
qube. Depending on your threat model, it may be of some use.

2 Likes

So to prevent traces with Tails, it would be good to use it without persistence, but instead with another LUKS encrypted USB drive to save files?

Thank you.
To sum it up: Are the traces only a threat if someone grabs my device while being logged in?
That’s my main question here.

@Thamil13 Thank you.
To sum it up: Are the traces only a threat if someone grabs my device while being logged in?
That’s my main question here.

In the context of using encryption and without torture, blackmail, and other methods of coercion that would force you to give up a 15 word diceware created passphrase for powered down system, then I’d say yes those traces are only a threat in qubes while being logged in.