Data Persistence vs Live Mode

From Whonix
Jump to navigation Jump to search

Forensics Categories[edit]

There are potentially two major categories of forensic evidence that an operating system (OS) (such as for example Whonix) was used that might be available to adversaries under specific conditions. This is a general computer security topic and unspecific to Whonix.

  • A) evidence that the OS was downloaded (and installed or written to USB / DVD), and [1]
  • B) data persistence or amnesia of activities during use of the OS.

This is related to Kicksecure logo Protection against Physical Attacks The Web Archive Onion Version .

Data Accessibility[edit]

This is unspecific to Whonix.

  • Local attacks: An adversary with physical access to the user's storage device could read that data unless the user is using Kicksecure logo Full Disk Encryption The Web Archive Onion Version .
  • Remote attacks: If a virtual machine (VM) or host operating system is compromised by Kicksecure logo Malware The Web Archive Onion Version , then an adversary that succeeded in infecting the user's computer with malware can steal this data.

Data Persistence vs Live Mode[edit]

Data persistence of activities during a Whonix session.

Depending on choice of boot mode of the user, either:

  • A) Booting into persistent mode: This is what 99% of computer users do every day. The supermajority of internet users is unaware of the concepts of "persistent mode" or "live mode". Data persistence works normally as most users expect. Data created by the user or operating system during a session of Whonix persists. This means it is still available after reboot. The advantage is that this works for many use case examples such as saving browser bookmarks, notes, documents, downloaded files and so forth. The downside is that this information might be available to adversaries under specific conditions
  • B) Using Kicksecure logo Host Live Mode The Web Archive Onion Version : When booting into host live mode and then using Whonix, no data will persist. For example, bookmarks created during live mode or any files created or downloaded will be gone after reboot.

Tails versus Whonix Live Mode Comparison[edit]

  • Whonix boots into persistent mode by default. This comes with various advantages such as persistent Tor Entry Guards, vanguards, easy standard ("everyday") upgrades to allow the users to always have the latest security patches and compatibility with full disk encryption. Users can optionally use live mode by using Kicksecure logo Host Live Mode The Web Archive Onion Version . It is easier to hide that Whonix was used from adversaries with physical access through use of full disk encryption on the host operating system.
  • Tails: boots into non-persistent (live mode) by default, which has the advantage of better usability for users who do not wish to persist data and an optional selective encrypted persistence feature. A Tails DVD or USB installation examined by an adversary with local access can always trivially determine that Tails is on the DVD / USB. [2]

See also Anonymity Operating System Comparison - Whonix vs Tails vs Tor Browser Bundle.

See Also[edit]


  1. While user data in Tails optional selective encrypted persistence feature is encrypted, the boot and system partition is unencrypted. That does not leak user data but that leaks the fact that the user is a Tails user and Tails version to an adversary with physical access.

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!