oxeo0/blog-contributions
1
0
Fork 0
mirror of http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions.git synced 2025-07-02 11:56:40 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

updated the sensitivevm tutorial

Browse source
This commit is contained in:
nihilist 2024-11-30 22:55:39 +01:00
parent ad30d67903
commit 2ab9353fd0
5 changed files with 52 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

BIN
opsec/sensitivevm/0.png
View file

Binary file not shown.
Side by side Swipe Overlay

Before

Width:  |  Height:  |  Size: 363 KiB

After

Width:  |  Height:  |  Size: 320 KiB

Before After
Before After

BIN
opsec/sensitivevm/40.png
View file

Binary file not shown.
Side by side Swipe Overlay

Before

Width:  |  Height:  |  Size: 93 KiB

After

Width:  |  Height:  |  Size: 286 KiB

Before After
Before After

BIN
opsec/sensitivevm/43.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 214 KiB

56
opsec/sensitivevm/index.html
View file

@ -85,7 +85,7 @@
<div class="container"> <div class="container">
<div class="row"> <div class="row">
<div class="col-lg-8 col-lg-offset-2"> <div class="col-lg-8 col-lg-offset-2">
<h2><b>Deniability Requirement</b></h2> </br> </br> <h2><b>Deniability Requirements</b></h2> </br> </br>
<p>First of all as you have seen, the requirement is that we do this setup from the Host OS, in <a href="../livemode/index.html">live mode</a>. That is because we want to make sure that there is no forensic evidence to be saved on the system drive as we have explained <a href="../livemode/index.html">previously.</a> </p> <p>First of all as you have seen, the requirement is that we do this setup from the Host OS, in <a href="../livemode/index.html">live mode</a>. That is because we want to make sure that there is no forensic evidence to be saved on the system drive as we have explained <a href="../livemode/index.html">previously.</a> </p>
<img src="../livemode/4.png" class="imgRz"> <img src="../livemode/4.png" class="imgRz">
@ -101,10 +101,39 @@
<div class="row"> <div class="row">
<div class="col-lg-8 col-lg-offset-2"> <div class="col-lg-8 col-lg-offset-2">
<h2><b>How to setup the VMs inside the Hidden Volume</b></h2> </br> </br> <h2><b>How to setup the VMs inside the Hidden Volume</b></h2> </br> </br>
<p>So before we start, make sure you reboot the Host OS to go into live mode:</p> <p>So before we start, make sure you reboot the Host OS to go into live mode</p>
<img src="../deniability/7.png" class="imgRz">
<p>Then, once in live mode we're going to setup our veracrypt volumes on our 500Gb harddrive:</p> <img src="../deniability/7.png" class="imgRz">
<p> <b>or boot from a usb stick that has a debian live image if you are in the usecase where the adversary can't be told you are using kicksecure packages</b>:</p>
<img src="../livemode/9.png" class="imgRz">
<p>Then, once in live mode <b>if you are in the usecase where you cannot reveal to the adversary that there is veracrypt installed on the host OS, make sure you install it everytime you boot into live mode.</b> To do speed up the installation process we're going to use the VPS we showcased <a href="../veracrypt/index.html">previously</a> to install both veracrypt and the emergency shutdown script:</p>
<pre><code class="nim">
nothing@debian:~$ scp root@65.109.30.253:/root/sensitive_scripts/vc.deb .
root@65.109.30.253's password:
vc.deb 100% 8995KB 1.9MB/s 00:04
nothing@debian:~$ sudo dpkg -i vc.deb
nothing@debian:~$ sudo apt install -f
nothing@debian:~$ sudo dpkg -i vc.deb
nothing@debian:~$ which veracrypt
/usr/bin/veracrypt
nothing@debian:~$ scp root@65.109.30.253:/root/sensitive_scripts/shutdown.sh .
nothing@debian:~$ chmod +x shutdown.sh
nothing@debian:~$ veracrypt
</pre></code>
<p>We briefly make sure that the shutdown.sh script is hooked up to the <b>SUPER+R</b> key to make sure we can quickly shutdown the computer in case if an adversary were to bust down our door:</p>
<img src="../livemode/5.png" class="imgRz">
<img src="../livemode/6.png" class="imgRz">
<p>And now that we did the post-live-boot initial setup, we can start to setup our veracrypt volumes on our 500Gb harddrive:</p>
<img src="2.png" class="imgRz"> <img src="2.png" class="imgRz">
<img src="3.png" class="imgRz"> <img src="3.png" class="imgRz">
<p>Here we're using a non-system drive, as we want to be able to store our veracrypt hidden volume contents in a persistent manner, accross reboots. (if we were to have the veracrypt volume on the system drive, it would be wiped off upon rebooting since the Host OS is in live mode.)</p> <p>Here we're using a non-system drive, as we want to be able to store our veracrypt hidden volume contents in a persistent manner, accross reboots. (if we were to have the veracrypt volume on the system drive, it would be wiped off upon rebooting since the Host OS is in live mode.)</p>
@ -335,6 +364,7 @@ Network Whonix-Internal has been undefined
<div class="row"> <div class="row">
<div class="col-lg-8 col-lg-offset-2"> <div class="col-lg-8 col-lg-offset-2">
<h2><b>Setting up the Decoy volume</b></h2> </br> </br> <h2><b>Setting up the Decoy volume</b></h2> </br> </br>
<p>If you are in the usecase where you cannot reveal to the adversary that you have veracrypt installed (meaning veracrypt will only be installed in live mode) you can skip this entire section. As the adversary won't even be aware that the non-system drive is encrypted using veracrypt.</p>
<p>Now that we have setup the hidden volume, let's close it so that we can setup the decoy volume (dont forget to exit the drive from the commandline, otherwise veracrypt will complain that the drive is busy):</p> <p>Now that we have setup the hidden volume, let's close it so that we can setup the decoy volume (dont forget to exit the drive from the commandline, otherwise veracrypt will complain that the drive is busy):</p>
<pre><code class="nim"> <pre><code class="nim">
[ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1] [ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1]
@ -581,6 +611,13 @@ kill $(pidof veracrypt)
/sbin/shutdown -h now /sbin/shutdown -h now
</pre></code> </pre></code>
<p>before we continue, dont forget to update it on your VPS, so you can reuse it next time:</p>
<pre><code class="nim">
nihilist@mainpc:~$ scp shutdown.sh root@65.109.30.253:/root/sensitive_scripts/shutdown.sh
</pre></code>
<p>Then, we need to make sure that the shutdown.sh script can be ran with the <b>"Super+R"</b> shortcut:</p> <p>Then, we need to make sure that the shutdown.sh script can be ran with the <b>"Super+R"</b> shortcut:</p>
<img src="41.png" class="imgRz"> <img src="41.png" class="imgRz">
<p>And we're now all setup! So let's try it out in both scenarios (from the decoy volume, and from the hidden volume):</p> <p>And we're now all setup! So let's try it out in both scenarios (from the decoy volume, and from the hidden volume):</p>
@ -591,11 +628,12 @@ kill $(pidof veracrypt)
<!-- +++++ Second Post +++++ --> <!-- +++++ Second Post +++++ -->
<div id="anon1"> <div id="anon2">
<div class="container"> <div class="container">
<div class="row"> <div class="row">
<div class="col-lg-8 col-lg-offset-2"> <div class="col-lg-8 col-lg-offset-2">
<h2><b>Decoy Volume Scenario (watching non-sensitive content)</b></h2> <h2><b>Decoy Volume Scenario (watching non-sensitive content)</b></h2>
<p>As stated before, this part is relevant only if you are in the usecase where veracrypt remains installed on the host OS outside of live mode. You can skip that part if you are keeping veracrypt installed only in live mode.</p>
<p>So first we open the veracrypt, and open the decoy volume:</p> <p>So first we open the veracrypt, and open the decoy volume:</p>
<img src="21.png" class="imgRz"> <img src="21.png" class="imgRz">
<img src="22.png" class="imgRz"> <img src="22.png" class="imgRz">
@ -623,18 +661,22 @@ kill $(pidof veracrypt)
<!-- +++++ Second Post +++++ --> <!-- +++++ Second Post +++++ -->
<div id="anon2"> <div id="anon1">
<div class="container"> <div class="container">
<div class="row"> <div class="row">
<div class="col-lg-8 col-lg-offset-2"> <div class="col-lg-8 col-lg-offset-2">
<h2><b>In what context is there Deniability ?</b></h2> <h2><b>In what context is there Deniability ?</b></h2>
<p>With this setup, you have deniability the moment that the Host OS finishes shutting down, regarding the existance of the veracrypt hidden volume, and the whonix sensitive VMs that are in it. <b>Meaning that it is impossible for an adversary that seizes your computer to prove the existance of the Whonix Sensitive VMs after the Host OS finished shutting down.</b></p> <p>With this setup, you have deniability the moment that the Host OS finishes shutting down, regarding the existance of the veracrypt hidden volume, and the whonix sensitive VMs that are in it. <b>Meaning that it is impossible for an adversary that seizes your computer to prove the existance of the Whonix Sensitive VMs after the Host OS finished shutting down.</b></p>
<p>Below is all an adversary will be able to see, if he were to seize your laptop after you manage to shut it down:</p> <p>If you leave veracrypt and shutdown.sh on the host OS, below is all an adversary will be able to see , if he were to seize your laptop after you manage to shut it down:</p>
<img src="40.png" class="imgRz"> <img src="40.png" class="imgRz">
<p>Of course, if you are ever forced to, <b>ONLY give your decoy password to the adversary.</b> The existance of the hidden volume, and of the secret password thats used to reveal it must remain a secret at all costs, it must remain known only by you.</p> <p>Of course, if you are ever forced to, <b>ONLY give your decoy password to the adversary.</b> The existance of the hidden volume, and of the secret password thats used to reveal it must remain a secret at all costs, it must remain known only by you.</p>
<p>If you are ever dragged into court, <b>the judge will appreciate much more if you actually hand over your laptop, and show that you are willing to cooperate with the authorities by providing your password to unlock it</b>, rather than starting to pretend you forgot your password (which can end badly like in <a href="https://lawblog.legalmatch.com/2018/07/23/florida-man-jailed-allegedly-forgetting-password-on-cell-phones/">this court case</a>, where the defendant was found to be in contempt of court, and thrown in jail for 6 months for it). </p> <p>If you are ever dragged into court, <b>the judge will appreciate much more if you actually hand over your laptop, and show that you are willing to cooperate with the authorities by providing your password to unlock it</b>, rather than starting to pretend you forgot your password (which can end badly like in <a href="https://lawblog.legalmatch.com/2018/07/23/florida-man-jailed-allegedly-forgetting-password-on-cell-phones/">this court case</a>, where the defendant was found to be in contempt of court, and thrown in jail for 6 months for it). </p>
<p>If ever asked by the authorities on why you used veracrypt in your laptop, you can simply claim that it was to put your stash of adult content in it. Nothing incriminating about it, and it is plausible given that you dont want that laying around on your desktop, due to being of a private matter.</p> <p>If ever asked by the authorities on why you used veracrypt in your laptop, you can simply claim that it was to put your stash of adult content in it. Nothing incriminating about it, and it is plausible given that you dont want that laying around on your desktop, due to being of a private matter.</p>
<p>Now in the usecase where you are not leaving veracrypt and shutdown.sh on the host OS, below is what the adversary can see:</p>
<img src="43.png" class="imgRz">
<p>Since there is no emergency shutdown script, nor any Veracrypt to be found. The adversary can't figure out that the non-system drive has been encrypted with Veracrypt, nor that you are hiding anything in it, all that the adversary can see is that the drive is filled with random meaningless data.</p>
</div> </div>
</div><!-- /row --> </div><!-- /row -->
</div> <!-- /container --> </div> <!-- /container -->

6
opsec/veracrypt/index.html
View file

@ -103,7 +103,7 @@ regarding wear leveling:
<img src="1.png" class="imgRz"> <img src="1.png" class="imgRz">
<pre><code class="nim"> <pre><code class="nim">
[ mainpc ] [ /dev/pts/1 ] [~/Downloads] [ mainpc ] [ /dev/pts/1 ] [~/Downloads]
→ wget https://launchpad.net/veracrypt/trunk/1.26.7/+download/veracrypt-1.26.7-Debian-12-amd64.deb → wget https://launchpad.net/veracrypt/trunk/1.26.7/+download/veracrypt-1.26.7-Debian-12-amd64.deb -O vc.deb
</code></pre> </code></pre>
<p>If you are using a VPS to help speed up the initial setup everytime you boot into live mode like we have <a href="../livemode/index.html">showcased previously</a>, you can also use it to store the veracrypt .deb file for you, to make it easier to retrieve each time:</p> <p>If you are using a VPS to help speed up the initial setup everytime you boot into live mode like we have <a href="../livemode/index.html">showcased previously</a>, you can also use it to store the veracrypt .deb file for you, to make it easier to retrieve each time:</p>
@ -153,13 +153,13 @@ vc.deb: Debian binary package (format 2.0), with control.tar.gz, data compressio
<p>And then to install it you can do it like so:</p> <p>And then to install it you can do it like so:</p>
<pre><code class="nim"> <pre><code class="nim">
[ mainpc ] [ /dev/pts/1 ] [~/Downloads] [ mainpc ] [ /dev/pts/1 ] [~/Downloads]
→ sudo dpkg -i veracrypt-1.26.7-Debian-12-amd64.deb → sudo dpkg -i vc.deb
[ mainpc ] [ /dev/pts/1 ] [~/Downloads] [ mainpc ] [ /dev/pts/1 ] [~/Downloads]
→ sudo apt install -f → sudo apt install -f
[ mainpc ] [ /dev/pts/1 ] [~/Downloads] [ mainpc ] [ /dev/pts/1 ] [~/Downloads]
→ sudo dpkg -i veracrypt-1.26.7-Debian-12-amd64.deb → sudo dpkg -i vc.deb
[ mainpc ] [ /dev/pts/1 ] [~/Downloads] [ mainpc ] [ /dev/pts/1 ] [~/Downloads]
→ which veracrypt → which veracrypt