VM Live Mode: Stop Persistent Malware

From Kicksecure
Revision as of 10:12, 9 November 2022 by Hans1 (talk | contribs) (Created page with "{{Header}} {{Title| title=VM Live Mode: Stop Persistent Malware }} {{#seo: |description=Read-only mode. Make all writes go to non-persistent memory (RAM) instead of the hard disk. This is NOT an anti-forensics feature! For anti-forensics, check out Host Live Mode. |image=Grub-live_mode_indicator_in_kicksecure.shortened.png }} <div class="intro-p"> {{project_name_long}} can be booted in Live Mode - meaning after your session {{project_name_long}} forgets everything you've...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Kicksecure can be booted in Live Mode - meaning after your session Kicksecure forgets everything you've done, nothing is saved. This is a long requested feature for sensitive data use cases and is available for Kicksecure as host OS as well as Kicksecure as guest OS.

VM Live Mode boot option selected in boot menu. (more screenshots)

Introduction

A live mode offers to use an operating system (OS) without leaving any traces. The system is started in live mode, all software can be used as normal, files can be saved, tasks can be accomplished, but after the session all data is lost and gone. This is especially important for use cases where sensitive temporary data is involved.

This is accomplished by use of the grub-live packagearchive.org iconarchive.today icon, a package that is developed and maintained under the [[1]archive.org iconarchive.today icon] umbrella. Grub-live can also be used by other Linux distributions.

Kicksecure live mode can be used if Kicksecure is a guest OS or a host OS itself. A host operating system (OS) is a system with root privileges that runs directly on the hardware. A guest OS is a system that runs inside a virtual machine. Kicksecure can be booted into live mode in both cases. We will use KS-HOST on this page if Kicksecure is a host OS and we will use KS-GUEST if Kicksecure is a guest OS.

NOTE: This is unfortunately not available in Template:Q project name, but available in all other Kicksecure variants.

What data will be forgotten?

Booting into live mode will ensure all disk writes to the virtual hard drive are forgotten after shutdown because all writes go to volatile memory (RAM) instead of the hard disk. In other words, after shutdown everything that happened during a previous boot session will not be visible (persist) on the virtual hard drive, including:

  • everything that is created / changed / downloaded
  • any websites visited, files downloaded or documents created; and
  • any other modifications of the virtual hard drive or activity history.
  • This also holds true for malicious changes made by malware.

Info Tip: Since live mode makes each write go to RAM, increasing the memory assigned to the VM will improve performance; for example, if large files are regularly downloaded.

KS-GUEST specifics (Virtual Machine VM)

Helpful tips against attack vectors

To keep your live mode unaffected even by malware memorize these instructions and follow them regularly.

Table: VM Live Mode Warnings

Domain Recommendations
Forensics By itself, starting a VM in live mode is not amnesic. Many users are unaware that activities performed inside the VM might be stored on the host mass storage device (hard drive, HDD, SSD) in locations that are hard to review (for the majority). Extra steps must be performed on the host operating system to minimize these traces -- see Anti-Forensics Precautions, or better, use Host Live Mode.
Malware To prevent malware from remounting the hard drive as read-write it is strongly recommended to use read-only hard drive mode. This raises the bar as malware would need to break out of the VM to gain persistence, because there might be data leaks if
Other Precautions
  • Kicksecure: It is recommended to regularly boot into persistent mode for installation of updates.
  • Kicksecure: If live mode is used with Kicksecure, regularly booting into persistent mode is important to keep Tor's normal guard rotation schedule.
  • KVM: Hard shutdowns of a VM can prevent loading of the filesystem with a read-only marked drive on next boot. Do not use 'Force Off/Reset' on KVM to avoid this possibility.

Getting Started

Preparation

  1. For the VERY FIRST START please start Kicksecure in regular mode (the option is just named "Template:Project name"), NOT in live mode. This will allow Tor to make use of Tor Entry Guards for some automatic initial setup.
  2. From the second start of Kicksecure IT IS RECOMMENDED to run it in live mode. This should eliminate any Tor-related cached data like DNS requests that could leave traces about web activity. However be warned that it may make your Tor behavior distinguishable from regular Tor users which can weaken your anonymity a little bit
    1. Consensus files: These files will be (re-)downloaded more frequently.
    2. Tor guards: When switching to a new guard after some months have passed. [2]

Starting Live Mode

1. Shut down the Kicksecure VM.

2. Power on the Kicksecure VM.

3. During the grub boot menu wait until you see the following.

Develop a very basic understand of the following screenshot. Consider the explanation below. Expected time requirement: 1 - 3 minutes.

Figure: Persistent Mode Boot

Persistent Mode Boot

The following screenshot shows 4 boot options in the boot menu.

  • Kicksecure GNU/Linux
  • Advanced options for Kicksecure GNU/Linux
  • Kicksecure Live-mode GNU/Linux
  • Advanced options forKicksecure Live-mode GNU/Linux

The in the first option indicates that this is the currently selected boot option.

The white text color on the blue background further indicates the currently selected boot option. Other boot options currently unselected have light blue text color.

This is also illustrated by the first option with the Kicksecure GNU/Linux also being written in white color instead of light blue color.

4. Use the arrow key on the keyboard to switch to live mode.

Figure: Live Mode Boot (non-persistent)

Live Mode Boot

5. Press enter.

6. Done.

The system is booting into live mode.

  1. There are two live mode options available, grub-livearchive.org iconarchive.today icon and ro-mode-initarchive.org iconarchive.today icon.
  2. https://forums.whonix.org/t/whonix-live-mode-amnesia-amnesic-non-persistent-anti-forensics/3894/127archive.org iconarchive.today icon
Retrieved from "https://www.kicksecure.com/w/index.php?title=Live_Mode&oldid=64776"