Data Persistence vs Live Mode

From Whonix

Forensics Categories[edit]

There are potentially two major categories of forensic evidence that an operating system (OS) (such as for example Whonix ™) was used that might be available to adversaries under specific conditions. This is a general computer security topic and unspecific to Whonix ™.

  • A) evidence that the OS was downloaded (and installed or written to USB / DVD), and [1]
  • B) data persistence or amnesia of activities during use of the OS.

This is related to Kicksecure-icon-logo.png Protection against Physical Attacks .

Data Accessibility[edit]

This is unspecific to Whonix ™.

  • Local attacks: An adversary with physical access to the user's storage device could read that data unless the user is using Kicksecure-icon-logo.png Full Disk Encryption .
  • Remote attacks: If a virtual machine (VM) or host operating system is compromised by Kicksecure-icon-logo.png Malware , then an adversary that succeeded in infecting the user's computer with malware can steal this data.

Data Persistence vs Live Mode[edit]

Data persistence of activities during a Whonix ™ session.

Depending on choice of boot mode of the user, either:

  • A) Booting into persistent mode: This is what 99% of computer users do every day. The supermajority of internet users is unaware of the concepts of "persistent mode" or "live mode". Data persistence works normally as most users expect. Data created by the user or operating system during a session of Whonix ™ persists. This means it is still available after reboot. The advantage is that this works for many use case examples such as saving browser bookmarks, notes, documents, downloaded files and so forth. The downside is that this information might be available to adversaries under specific conditions
  • B) Using Kicksecure-icon-logo.png Host Live Mode : When booting into host live mode and then using Whonix ™, no data will persist. For example, bookmarks created during live mode or any files created or downloaded will be gone after reboot.

Tails versus Whonix Live Mode Comparison[edit]

  • Whonix ™ boots into persistent mode by default. This comes with various advantages such as persistent Tor Entry Guards, vanguards, easy standard ("everyday") upgrades to allow the users to always have the latest security patches and compatibility with full disk encryption. Users can optionally use live mode by using Kicksecure-icon-logo.png Host Live Mode . It is easier to hide that Whonix ™ was used from adversaries with physical access through use of full disk encryption on the host operating system.
  • Tails: boots into non-persistent (live mode) by default, which has the advantage of better usability for users who do not wish to persist data and an optional selective encrypted persistence feature. A Tails DVD or USB installation examined by an adversary with local access can always trivially determine that Tails is on the DVD / USB. [2]

See also Anonymity Operating System Comparison - Whonix ™ vs Tails vs Tor Browser Bundle.

See Also[edit]

Footnotes[edit]

  1. While user data in Tails optional selective encrypted persistence feature is encrypted, the boot and system partition is unencrypted. That does not leak user data but that leaks the fact that the user is a Tails user and Tails version to an adversary with physical access.