There are potentially two major categories of forensic evidence that an operating system (OS) (such as for example Whonix ™) was used that might be available to adversaries under specific conditions. This is a general computer security topic and unspecific to Whonix ™.
- A) evidence that the OS was downloaded (and installed or written to USB / DVD), and 
- B) data persistence or amnesia of activities during use of the OS.
This is related to Protection against Physical Attacks .
This is unspecific to Whonix ™.
- Local attacks: An adversary with physical access to the user's storage device could read that data unless the user is using Full Disk Encryption .
- Remote attacks: If a virtual machine (VM) or host operating system is compromised by Malware , then an adversary that succeeded in infecting the user's computer with malware can steal this data.
Data Persistence vs Live Mode
Data persistence of activities during a Whonix ™ session.
Depending on choice of boot mode of the user, either:
- A) Booting into persistent mode: This is what 99% of computer users do every day. The supermajority of internet users is unaware of the concepts of "persistent mode" or "live mode". Data persistence works normally as most users expect. Data created by the user or operating system during a session of Whonix ™ persists. This means it is still available after reboot. The advantage is that this works for many use case examples such as saving browser bookmarks, notes, documents, downloaded files and so forth. The downside is that this information might be available to adversaries under specific conditions
- B) Using Host Live Mode : When booting into host live mode and then using Whonix ™, no data will persist. For example, bookmarks created during live mode or any files created or downloaded will be gone after reboot.
Tails versus Whonix Live Mode Comparison
- Whonix ™ boots into persistent mode by default. This comes with various advantages such as persistent Tor Entry Guards, vanguards, easy standard ("everyday") upgrades to allow the users to always have the latest security patches and compatibility with full disk encryption. Users can optionally use live mode by using Host Live Mode . It is easier to hide that Whonix ™ was used from adversaries with physical access through use of full disk encryption on the host operating system.
- Tails: boots into non-persistent (live mode) by default, which has the advantage of better usability for users who do not wish to persist data and an optional selective encrypted persistence feature. A Tails DVD or USB installation examined by an adversary with local access can always trivially determine that Tails is on the DVD / USB. 
- Installation of Whonix ™ on USB
- Protection against Physical Attacks
- Full Disk Encryption
- System Hardening Checklist
- the downloaded image on the host operating system
- the history of the program used to write the ISO to USB
- other traces on the host operating system used to such as file manage history and whatnot. For inspiration what that likely would be, see: https://research.torproject.org/techreports/tbb-forensic-analysis-2013-06-28.pdf
- While user data in Tails optional selective encrypted persistence feature is encrypted, the boot and system partition is unencrypted. That does not leak user data but that leaks the fact that the user is a Tails user and Tails version to an adversary with physical access.