title=VM Live Mode: Stop Persistent Malware
|description=Read-only mode. Make all writes go to non-persistent memory (RAM) instead of the hard disk. This is NOT an anti-forensics feature! For anti-forensics, check out Host Live Mode.
|image=Grub-live_mode_indicator_in_kicksecure.shortened.png
{{project_name_long}} can be booted in Live Mode - meaning after your session {{project_name_long}} forgets everything you've done, nothing is saved. This is a long requested feature for sensitive data use cases and is available for {{project_name_long}} as host OS as well as {{project_name_long}} as guest OS.[[File:Grub-live_mode_indicator_in_kicksecure.shortened.png|400px|thumb|VM Live Mode boot option selected in boot menu. ([[#Instructions|more screenshots]])]]
A '''live mode''' offers to use an {{os}} without leaving any traces. The system is started in live mode, all software can be used as normal, files can be saved, tasks can be accomplished, but after the session all data is lost and gone. This is especially important for use cases where sensitive temporary data is involved.This is accomplished by use of the [https://github.com/{{project_name_short}}/grub-live <code>grub-live</code> package], a package that is developed and maintained under the [[https://www.whonix.org|Whonix]] umbrella. Grub-live can also be used by other Linux distributions.{{project_name_long}} live mode can be used if {{project_name_long}} is a guest OS or a host OS itself. A host {{os}} is a system with root privileges that runs directly on the hardware. A guest OS is a system that runs inside a virtual machine. {{project_name_long}} can be booted into live mode in both cases. We will use '''KS-HOST''' on this page if {{project_name_long}} is a host OS and we will use '''KS-GUEST''' if {{project_name_long}} is a guest OS.'''NOTE''': This is unfortunately not available in {{Q project name}}, but available in all other {{project_name_long}} variants. What data will be forgotten?
Booting into live mode will ensure all disk writes to the virtual hard drive are forgotten after shutdown because all writes go to volatile memory (RAM) instead of the hard disk. In other words, after shutdown everything that happened during a previous boot session will not be visible (persist) on the virtual hard drive, including:
* everything that is created / changed / downloaded
* any websites visited, files downloaded or documents created; and
* any other modifications of the virtual hard drive or activity history.
* This also holds true for malicious changes made by [[Malware and Firmware Trojans|malware]].
| image = [[File:Ambox_notice.png|40px|alt=Info]]
| text = '''Tip:''' Since live mode makes each write go to RAM, increasing the memory assigned to the VM will improve performance; for example, if large files are regularly downloaded.
KS-GUEST specifics (Virtual Machine VM)
Helpful tips against attack vectors
To keep your live mode unaffected even by malware memorize these instructions and follow them regularly.
'''Table:''' ''VM Live Mode Warnings''
! scope="col"| '''Domain'''
! scope="col"| '''Recommendations'''
| By itself, starting a VM in live mode is not amnesic. Many users are unaware that activities performed inside the VM [[Warning#live|might be stored on the host mass storage device (hard drive, HDD, SSD)]] in locations that are hard to review (for the majority). Extra steps must be performed on the host operating system to minimize these traces -- see [[Anti-Forensics Precautions]], or better, use [[Host Live Mode]].
| To prevent malware from remounting the hard drive as read-write it is strongly recommended to use [[VM_Live_Mode/Read_Only_Mode_Hard_Drive|read-only hard drive mode]]. This raises the bar as malware would need to break out of the VM to gain persistence, because there might be data leaks if
* [[VM_Live_Mode/Read_Only_Mode_Hard_Drive|read-only hard drive mode]] is <u>not</u> configured and malware remounted the disk as read-write or broke out of the VM; or
* [[VM_Live_Mode/Read_Only_Mode_Hard_Drive|read-only hard drive mode]] is configured and malware broke out of the VM. <ref>There are two live mode options available, [https://github.com/{{project_name_short}}/grub-live <code>grub-live</code>] and [https://github.com/{{project_name_short}}/ro-mode-init <code>ro-mode-init</code>].* <code>grub-live</code>: a new boot menu entry is created which must be selected manually, but it is a better failsafe and hence the recommended option.
* <code>ro-mode-init</code>: the boot menu stays the same and the system automatically boots into live mode when it detects a read-only disk, otherwise it boots normally into persistent mode. The advantage of using this approach is that malware running in a VM cannot silently change settings to leave persistent traces.
** [[VM_Live_Mode/ro-mode-init|ro-mode-init documentation]]
** https://forums.whonix.org/t/whonix-live-mode-amnesia-amnesic-non-persistent-anti-forensics/3894/145
! scope="row"| Other Precautions
* <u>{{project_name_long}}</u>: It is recommended to regularly boot into persistent mode for installation of [[Update|updates]]. <br />* <u>{{project_name_long}}</u>: If live mode is used with {{project_name_long}}, regularly booting into persistent mode is important to keep Tor's normal [[Tor_Entry_Guards|guard]] rotation schedule. <br />* <u>KVM</u>: Hard shutdowns of a VM can prevent loading of the filesystem with a read-only marked drive on next boot. Do not use 'Force Off/Reset' on KVM to avoid this possibility.
# For the VERY FIRST START please start {{project_name_gateway_long}} '''in regular mode''' (the option is just named "{{project_name}}"), NOT in live mode. This will allow [[Tor]] to make use of [[Tor Entry Guards]] for some automatic initial setup.# From the second start of {{project_name_gateway_long}} '''IT IS RECOMMENDED''' to run it in live mode. This should eliminate any Tor-related cached data like DNS requests that could leave traces about web activity. However be warned that it may make your Tor behavior distinguishable from regular Tor users which can weaken your anonymity a little bit## <u>Consensus files</u>: These files will be (re-)downloaded more frequently.
## <u>Tor guards</u>: When switching to a new guard after some months have passed. <ref>
https://forums.whonix.org/t/whonix-live-mode-amnesia-amnesic-non-persistent-anti-forensics/3894/127
'''1.''' Shut down the {{project_name_long}} VM.'''2.''' Power on the {{project_name_long}} VM.'''3.''' During the [[grub]] boot menu wait until you see the following.
Develop a very basic understand of the following screenshot. Consider the explanation below. Expected time requirement: 1 - 3 minutes.
'''Figure:''' ''<code>Persistent</code> Mode Boot''
[[File:Grub-persistent_mode_indicator_in_kicksecure.cleaned.png|Persistent Mode Boot|800px]]
The following screenshot shows 4 boot options in the boot menu.
* [[File:asterisk_symbol.png|20px]] <code>{{project_name_short}} GNU/Linux</code>* <code>Advanced options for {{project_name_short}} GNU/Linux</code>* <code>{{project_name_short}} Live-mode GNU/Linux</code>* <code> Advanced options for{{project_name_short}} Live-mode GNU/Linux</code>The [[File:asterisk_symbol.png|20px]] in the first option indicates that this is the currently selected boot option.
The white text color on the blue background further indicates the currently selected boot option. Other boot options currently unselected have light blue text color.
This is also illustrated by the first option with the [[File:asterisk_symbol.png|20px]] <code>{{project_name_short}} GNU/Linux</code> also being written in white color instead of light blue color.'''4.''' Use the arrow key on the keyboard to switch to live mode.
'''Figure:''' ''Live Mode Boot (<code>non-persistent</code>)''
[[File:Grub-persistent_mode_indicator_in_kicksecure.cleaned.png|Live Mode Boot|800px]]
The system is booting into live mode.
or create an account