VM Live Mode: Stop Persistent Malware
|VM Live Mode||Host Live Mode||Whonix ™ on USB|
This is only available in Non-Qubes-Whonix ™.
The primary objective of VM live mode is preventing malware from gaining persistence and having an unchanged system after each reboot. This is also useful for improved storage device privacy as well as experimental changes like testing software.
- Any host operating system: Follow instructions on this wiki page to selectively run Whonix ™ virtual machines (VMs) in Live Mode.
- Debian hosts: It is possible to boot your existing, installed Debian host operating system into Live Mode by following the Host Live Mode wiki page instructions.
If you are interested in installation of Whonix ™ on USB, see Whonix ™ on USB.
Booting into live mode will ensure all disk writes to the virtual hard drive are forgotten after shutdown because all writes go to volatile memory (RAM) instead of the hard disk. In other words, after shutdown everything that happened during a previous boot session will not be visible (persist) on the virtual hard drive, including:
- everything that is created / changed / downloaded in the virtual machine (VM);
- any websites visited, files downloaded or documents created; and
- any other modifications of the virtual hard drive or activity history.
This also holds true for malicious changes made by malware, except when:
- read-only hard drive mode is not configured and malware remounted the disk as read-write or broke out of the VM; or
- read-only hard drive mode is configured and malware broke out of the VM. 
Table: VM Live Mode Warnings
|Forensics||By itself, starting a VM in live mode is not amnesic. Many users are unaware that activities performed inside the VM might be stored on the host mass storage device (hard drive, HDD, SSD) in locations that are hard to review (for the majority). Extra steps must be performed on the host operating system to minimize these traces -- see Anti-Forensics Precautions, or better, use Host Live Mode.|
|Malware||To prevent malware from remounting the hard drive as read-write it is strongly recommended to use read-only hard drive mode. This raises the bar as malware would need to break out of the VM to gain persistence.|
Live Mode on Whonix-Gateway ™
From the second start of Whonix-Gateway ™ it is recommended to run it in live mode. This should eliminate any Tor-related, cached data like DNS requests that could leave traces about web activity. However be warned that it may make your Tor behavior distinguishable from regular Tor users:
- Consensus files: These files will be (re-)downloaded more frequently.
- Tor guards: When switching to a new guard after some months have passed. 
1. Shut down off Whonix ™ VM.
2. Power on Whonix ™ VM.
3. During the grub boot menu wait until you see the following.
Develop a very basic understand of the following screenshot. Consider the explanation below. Expected time requirement: 1 - 3 minutes.
The following screenshot shows 4 boot options in the boot menu.
Advanced options for Whonix GNU/Linux
Whonix Live-mode GNU/Linux
Advanced options forWhonix Live-mode GNU/Linux
✱ in the first option indicates that this is the currently selected boot option. This is also illustrated by the first option with the
Whonix GNU/Linux also being written in white color instead of light blue color.
4. Use the arrow key on the keyboard to switch to live mode.
5. Press enter.
The system is booting into live mode.
Create a new file in your home directory then reboot (assuming you were already booted in the live mode from the boot menu) then restart the VM. You should not see that file anymore.
In the future, running Whonix ™ from a Live DVD or Live USB might be supported. Check this wiki page Whonix-Host.
- The meaning of
- The meaning of
If anything in coloumn
RO is set to
0, then it is not blessed read-only hard drive mode.
lsblk without any
snapd installed, Whonix-Gateway ™, live mode, and read-only hard drive mode enabled.
sudo lsblk --all
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sda 8:0 0 100G 1 disk └─sda1 8:1 0 100G 1 part /lib/live/mount/medium
lsblk without any
snapd installed, Whonix-Gateway ™, live mode, and read-only hard drive mode disabled.
sudo lsblk --all
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sda 8:0 0 100G 0 disk └─sda1 8:1 0 100G 0 part /lib/live/mount/medium
WickrMe installed, Whonix-Workstation ™, persistent mode, and read-only hard drive mode disabled.
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT loop0 7:0 0 62.1M 1 loop /snap/gtk-common-themes/1506 loop1 7:1 0 446M 1 loop /snap/wickrme/352 loop2 7:2 0 55M 1 loop /snap/core18/1754 sda 8:0 0 100G 0 disk └─sda1 8:1 0 100G 0 part /lib/live/mount/medium sr0 11:0 1 1024M 0 rom
There are two live mode options available,
grub-live: a new boot menu entry is created which must be selected manually, but it is a better failsafe and hence the recommended option.
ro-mode-init: the boot menu stays the same and the system automatically boots into live mode when it detects a read-only disk, otherwise it boots normally into persistent mode. The advantage of using this approach is that malware running in a VM cannot silently change settings to leave persistent traces.
- https://forums.whonix.org/t/whonix-live-mode-amnesia-amnesic-non-persistent-anti-forensics/3894/127 [archive]