Whonix ™ Live Mode - Stop Persistent Malware
|About this Whonix Live Page|
This is only available in Non-Qubes-Whonix ™.
The primary objective is preventing malware from gaining persistence and having an unchanged system after each reboot. This is also useful for improved HDD/SSD privacy as well as experimental changes like testing software.
- Any host operating system: Follow instructions on this wiki page to selectively run Whonix ™ virtual machines (VMs) in Live Mode.
- Debian hosts: It is possible to boot your existing, installed Debian host operating system into Live Mode by following the grub-live wiki page instructions.
Booting into live mode will ensure all disk writes to the virtual hard drive are forgotten after shutdown because all writes go to volatile memory (RAM) instead of the hard disk. In other words, after shutdown everything that happened during a previous boot session will not be visible (persist) on the virtual hard drive, including:
- everything that is created / changed / downloaded in the virtual machine (VM);
- any websites visited, files downloaded or documents created; and
- any other modifications of the virtual hard drive or activity history.
This also holds true for malicious changes made by malware, except when:
- read-only hard drive mode is not configured and malware remounted the disk as read-write or broke out of the VM; or
- read-only hard drive mode is configured and malware broke out of the VM. 
Table: Live Mode Warnings
|Forensics||By itself, starting a VM in live mode is not amnesic. Many users are unaware that activities performed inside the VM might be stored on the host HDD/SSD in locations that are hard to review (for the majority). Extra steps must be performed on the host operating system to minimize these traces -- see Anti-Forensics Precautions.|
|Malware||To prevent malware from remounting the hard drive as read-write it is strongly recommended to use read-only hard drive mode. This raises the bar as malware would need to break out of the VM to gain persistence.|
grub-live on Whonix-Gateway ™
From the second start of Whonix-Gateway ™ it is recommended to run it in live mode. This should eliminate any Tor-related, cached data like DNS requests that could leave traces about web activity. However be warned that it may make your Tor behavior distinguishable from regular Tor users:
- Consensus files: These files will be (re-)downloaded more frequently.
- Tor guards: When switching to a new guard after some months have passed. 
In the future, running Whonix ™ from a Live CD or DVD might be supported. Check this wiki page at a later date.
There are two live mode options available,
grub-live: a new boot menu entry is created which must be selected manually, but it is a better failsafe and hence the recommended option.
ro-mode-init: the boot menu stays the same and the system automatically boots into live mode when it detects a read-only disk, otherwise it boots normally into persistent mode. The advantage of using this approach is that malware running in a VM cannot silently change settings to leave persistent traces.
- https://forums.whonix.org/t/whonix-live-mode-amnesia-amnesic-non-persistent-anti-forensics/3894/127 [archive]
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.
Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)