Actions

Whonix ™ Live Mode - Stop Persistent Malware

From Whonix



About this Whonix Live Page
Support Status testing
Difficulty medium
Maintainer Algernon [archive]
Support Support

Users can optionally run Whonix ™ as a live system. FREE

This is only available in Non-Qubes-Whonix ™.

The primary objective is preventing malware from gaining persistence and having an unchanged system after each reboot. This is also useful for improved HDD/SSD privacy as well as experimental changes like testing software.

  • Windows logo - 2012.svg.png Rsz osx.png Tux.png Any host operating system: Follow instructions on this wiki page to selectively run Whonix ™ virtual machines (VMs) in Live Mode.
  • Debian.png Tux.png Debian hosts: It is possible to boot your existing, installed Debian host operating system into Live Mode by following the grub-live wiki page instructions.

Introduction[edit]

Booting into live mode will ensure all disk writes to the virtual hard drive are forgotten after shutdown because all writes go to volatile memory (RAM) instead of the hard disk. In other words, after shutdown everything that happened during a previous boot session will not be visible (persist) on the virtual hard drive, including:

  • everything that is created / changed / downloaded in the virtual machine (VM);
  • any websites visited, files downloaded or documents created; and
  • any other modifications of the virtual hard drive or activity history.

This also holds true for malicious changes made by malware, except when:

Info Tip: Since live mode makes each write go to RAM, increasing the memory assigned to the VM will improve performance; for example, if large files are regularly downloaded.

Images[edit]

Figure: Persistent Mode Boot Persistent Mode Boot

Figure: Live Mode Boot Live Mode Boot

Warnings[edit]

Table: Live Mode Warnings

Domain Recommendations
Forensics By itself, starting a VM in live mode is not amnesic. Many users are unaware that activities performed inside the VM might be stored on the host HDD/SSD in locations that are hard to review (for the majority). Extra steps must be performed on the host operating system to minimize these traces -- see Anti-Forensics Precautions.
Malware To prevent malware from remounting the hard drive as read-write it is highly recommended to use read-only hard drive mode. This raises the bar as malware would need to break out of the VM to gain persistence.
Other Precautions
  • Whonix-Workstation ™ and Whonix-Gateway ™: It is recommended to regularly boot into persistent mode for installation of updates.
  • Whonix-Gateway ™: If live mode is used with Whonix-Gateway ™, regularly booting into persistent mode is important to keep Tor's normal guard rotation schedule.
  • KVM: Hard shutdowns of a VM can prevent loading of the filesystem with a read-only marked drive on next boot. Do not use 'Force Off/Reset' on KVM to avoid this possibility.

grub-live on Whonix-Gateway ™[edit]

The first start of Whonix-Gateway ™ should not use live mode. This will allow Tor to make use of Tor Entry Guards.

From the second start of Whonix-Gateway ™ it is recommended to run it in live mode. This should eliminate any Tor-related, cached data like DNS requests that could leave traces about web activity. However be warned that it may make your Tor behavior distinguishable from regular Tor users:

  • Consensus files: These files will be (re-)downloaded more frequently.
  • Tor guards: When switching to a new guard after some months have passed. [2]

Debugging/Errors[edit]

An inconsistent filesystem will likely result in errors during booting in live mode. For instance, inconsistencies can arise when the VM is killed instead of performing a normal shutdown in persistent mode. Therefore to ensure it is consistent, run fsck in persistent mode. Debian automatically does this during boot. VMs running in live mode can be killed without problems.

In the case of non-fsck related errors using ro-mode-init (like dropping to an initramfs shell), add the following to the kernel command line/GRUB menu for easier debugging:

debug=1 break=init-premount

Miscellaneous[edit]

In the future, running Whonix ™ from a Live CD or DVD might be supported. Check this wiki page at a later date.

Footnotes[edit]

  1. There are two live mode options available, grub-live [archive] and ro-mode-init [archive].
    • grub-live: a new boot menu entry is created which must be selected manually, but it is a better failsafe and hence the recommended option.
    • ro-mode-init: the boot menu stays the same and the system automatically boots into live mode when it detects a read-only disk, otherwise it boots normally into persistent mode. The advantage of using this approach is that malware running in a VM cannot silently change settings to leave persistent traces. https://forums.whonix.org/t/whonix-live-mode-amnesia-amnesic-non-persistent-anti-forensics/3894/145 [archive]
  2. https://forums.whonix.org/t/whonix-live-mode-amnesia-amnesic-non-persistent-anti-forensics/3894/127 [archive]


We are looking for help in managing our social media accounts. Are you interested?

https [archive] | (forcing) onion [archive]
Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Rss.png 1024px-Telegram 2019 Logo.svg.png Discourse logo.svg

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.

Monero donate whonix.png