oxeo0/blog-contributions
1
0
Fork 0
mirror of http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions.git synced 2025-07-02 06:46:42 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

livemode rewritten + internet segmentation polished

Browse source
This commit is contained in:
nihilist 2025-04-01 12:22:49 +02:00
parent 476b853168
commit c64eb7c369
16 changed files with 914 additions and 688 deletions
Download patch file Download diff file Expand all files Collapse all files

296
graphs/.$opsec-main-tutorials.drawio.bkp
View file

File diff suppressed because one or more lines are too long

121
graphs/.$sensitivevms.drawio.bkp
View file

File diff suppressed because one or more lines are too long

296
graphs/opsec-main-tutorials.drawio
View file

File diff suppressed because one or more lines are too long

47
graphs/sensitivevms.drawio
View file

File diff suppressed because one or more lines are too long

4
opsec/index.html
View file

@ -84,7 +84,7 @@
</br> <p>📝 Explaining OPSEC ⭐</p>
<ol>
<li><a href="http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/70"></a><a href="opsec4levels/index.html"> Audit your OPSEC and determine the appropriate internet use</a><img src="logos/su2.png" class="logo"><img src="logos/su0.png" class="logo"><img src="logos/on0.png" class="logo"><img src="logos/de0.png" class="logo"></li>
<li><a href="http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/71">🚧</a><a href="internetsegmentation/index.html"> Internet usage segmentation (QEMU VMs + Identity Management)</a><img src="logos/kvm.png" class="logo"><img src="logos/su2.png" class="logo"><img src="logos/su0.png" class="logo"><img src="logos/on0.png" class="logo"><img src="logos/de0.png" class="logo"></li>
<li><a href="http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/71"></a><a href="internetsegmentation/index.html"> Internet usage segmentation (QEMU VMs + Identity Management)</a><img src="logos/kvm.png" class="logo"><img src="logos/su2.png" class="logo"><img src="logos/su0.png" class="logo"><img src="logos/on0.png" class="logo"><img src="logos/de0.png" class="logo"></li>
<li><a href="http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/72"></a><a href="opsec/index.html"> OPSEC: Using the right Technology and Behavior </a><img src="logos/su2.png" class="logo"><img src="logos/su0.png" class="logo"><img src="logos/on0.png" class="logo"><img src="logos/de0.png" class="logo"></li>
<li><a href="http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/56"></a><a href="multiple_identities/index.html"> How to maintain multiple Identities Online</a><img src="logos/on0.png" class="logo"></li>
<li><a href="http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/232">❌ Public Chats / Private Chats / Anonymous Chats / Deniable Chats</a></li>
@ -311,7 +311,7 @@
<p>💻 Clientside - Getting Started </p>
<ol>
<li><a href="http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/92"></a><a href="tailsqemuvm/index.html"> Tails OS for Easy Temporary Sensitive Use</a><img src="logos/tails.png" class="logo"></li>
<li><a href="http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/160">🚧</a><a href="livemode/index.html"> Using the Host-OS in live-mode to enable Sensitive Use</a><img src="logos/poweroff.png" class="logo"></li>
<li><a href="http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/160"></a><a href="livemode/index.html"> Using the Host-OS in live-mode to enable Sensitive Use</a><img src="logos/poweroff.png" class="logo"></li>
<li><a href="http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/255">🚧</a><a href="veracrypt/index.html"> The main source of Plausible Deniability: Deniable Encryption</a><img src="logos/veracrypt.png" class="logo"></li>
<li><a href="http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/256">🚧</a><a href="sensitivevm/index.html"> Sensitive use VMs Setup (Whonix VMs in a Veracrypt Hidden Volume)⭐</a><img src="logos/poweroff.png" class="logo"><img src="logos/veracrypt.png" class="logo"><img src="logos/whonix.png" class="logo"></li>
<li><a href="http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/130">🚧</a><a href="plausiblydeniabledataprotection/index.html"> Plausibly Deniable Critical Data Backups</a><img src="logos/veracrypt.png" class="logo"></li>

18
opsec/internetsegmentation/index.html
View file

@ -84,7 +84,7 @@
<p><u>Internet Uses:</u></p>
<ol>
<li><p><u>Public use</u>: What you do is public knowledge</p></li>
<li><p><u>Private use</u>: What you do is not meant to be known (private)</p></li>
<li><p><u>Private use</u>: What you do is NOT publicly known</p></li>
<li><p><u>Anonymous use</u>: What you do is meant to be done without revealing your identity</p></li>
<li><p><u>Sensitive use</u>: What you do is meant to remain secret at all cost, only to be known by you</p></li>
</ol>
@ -92,10 +92,10 @@
<img src="3.png" class="imgRz">
<p><u>Requirements:</u></p>
<ol>
<li><p><u>Public use</u>: No requirement ; you can use closed source software (meaning it's all public)</p></li>
<li><p><u>Private use</u>: only open source software, + you use a pseudonym, to practice privacy</p></li>
<li><p><u>Anonymous use</u>: open source, using a false identity to practice anonymity, not sensitive</p></li>
<li><p><u>Sensitive use</u>: open source, using an other false identity and must be plausibly deniable</p></li>
<li><p><u>Public use</u>: No requirement ; you can use closed source software (meaning it's all public), using your IRL identity</p></li>
<li><p><u>Private use</u>: only open source software, + you use a pseudonym instead of your IRL identity</p></li>
<li><p><u>Anonymous use</u>: open source, using a random, meaningless identity not sensitive</p></li>
<li><p><u>Sensitive use</u>: open source, using an other random meaningless identity, <b>AND if the adversary seizes the device, they musn't be able to prove the existance of the Sensitive VM</b></p></li>
</ol>
<p>Now with this we identified the 4 most typical internet use cases, and their requirements.</p>
</div>
@ -137,11 +137,11 @@
<p><u>Virtual Machines:</u></p>
<ol>
<li><p><u>Public use</u>: No requirement ; you can use a windows VM for all closed source software and KYC use</p></li>
<li><p><u>Private use</u>: you can use a Debian VM, with only open source software (ex:matrix and element)</p></li>
<li><p><u>Anonymous use</u>: you can use Whonix VMs, (can also have a with a Tor -> VPN setup) </p></li>
<li><p><u>Sensitive use</u>: You can use Whonix VMs, but they need to be inside a <a href="../anonymity/index.html">veracrypt hidden volume</a></p></li>
<li><p><u>Private use</u>: you can use a Debian VM, with only open source software (ex: <a href="../privatesimplex/index.html">SimpleX chat</a>)</p></li>
<li><p><u>Anonymous use</u>: you can use Whonix VMs (it forces every connection to go through Tor)</p></li>
<li><p><u>Sensitive use</u>: You can use Whonix VMs, but they need to be inside a <a href="../veracrypt/index.html">Veracrypt hidden volume</a></p></li>
</ol>
<p><u>Sidenote:</u> <a href="https://www.qubes-os.org/">QubesOS</a> is based off the same segmentation principle, that every use must remain isolated (or compartmentalized) into VMs, for specific uses. It also uses Linux and Whonix VMs, while using the Xen hypervisor instead of libvirtd QEMU/KVM, but the concept remains the same. </p>
<p><u>Sidenote:</u> <a href="../qubesos/index.html">QubesOS</a> is based off the same segmentation principle, that every use must remain isolated (or compartmentalized) into VMs, for specific uses. It also uses Linux and Whonix VMs, while using the Xen hypervisor instead of libvirtd QEMU/KVM, but the concept remains the same. </p>
</div>
</div><!-- /row -->

BIN
opsec/livemode/0.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 189 KiB

BIN
opsec/livemode/11.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 157 KiB

BIN
opsec/livemode/12.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 165 KiB

BIN
opsec/livemode/13.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 255 KiB

BIN
opsec/livemode/14.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 212 KiB

BIN
opsec/livemode/15.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 174 KiB

BIN
opsec/livemode/16.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 484 KiB

BIN
opsec/livemode/17.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 161 KiB

375
opsec/livemode/index.html
View file

@ -8,7 +8,7 @@
<meta name="author" content="">
<link rel="shortcut icon" href="../../../../../../assets/img/favicon.png">
<title>Using the Host-OS in live-mode to prepare for long-term Sensitive Use</title>
<title>Using the Host-OS in live-mode to enable Sensitive Use</title>
<!-- Bootstrap core CSS -->
<link href="../../assets/css/bootstrap.css" rel="stylesheet">
@ -56,34 +56,28 @@
<!-- +++++ Posts Lists +++++ -->
<!-- +++++ First Post +++++ -->
<div id="anon1">
<div id="anon3">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<a href="../index.html">Previous Page</a></br></br><p><img src="../../assets/img/user.png" width="50px" height="50px"> <ba>nihilist@mainpc - 2024-11-03</ba></p>
<h1>Using the Host-OS in live-mode to prepare for long-term Sensitive Use </h1>
<img src="../deniability/7.png" class="imgRz">
<p><h2><u>OPSEC Recommendations:</u></h2></p>
<ol>
<li><p>Hardware : (Personal Computer / Laptop)</p></li>
<li><p>System Harddrive: not LUKS encrypted <a href="https://www.kicksecure.com/wiki/Ram-wipe">[1]</a></p></li>
<li><p>Non-System Harddrive: 500Gb (will be used to contain our <a href="../veracrypt/index.html">Veracrypt</a> encrypted volumes)</p></li>
<li><p>Host OS: <a href="../linux/index.html">Linux</a></p></li>
<li><p>Hypervisor: <a href="../hypervisorsetup/index.html">QEMU/KVM</a></p></li>
</ol>
<p><img src="../logos/daturagit.png" style="width:100px"> <u>Sidenote:</u> Help us improve this tutorial by letting us know if there's anything missing or incorrect on this <a href="http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/160">git issue</a> directly!</p>
<a href="../index.html">Previous Page</a></br></br><p><img src="../../assets/img/user.png" width="50px" height="50px"> <ba>nihilist - 01 / 04 / 2025</ba></p>
<h1>Using the Host-OS in live-mode to enable Sensitive Use </h1>
<img src="0.png" class="imgRz">
<p><img src="../logos/daturagit.png" style="width:100px"> <u>Sidenote:</u> Help us improve this tutorial by letting us know if there's anything missing or incorrect on this <a href="http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/160">git issue</a> directly!</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /grey -->
<!-- +++++ Second Post +++++ -->
<div id="anon2">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<!-- +++++ Second Post +++++ -->
<div id="anon2">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>What is the usecase ?</b></h2>
<p>The main usecase of using your Host OS in live mode, is that you want to use it for long term sensitive activities (meaning, you want to save sensitive files on a harddrive). <b>As you're going to see, using the Host OS in live mode is effectively a hard requirement for deniability</b>.</p>
<p>When we are talking sensitive use, we are talking about our need of Deniability. Which means that we need to use deniable encryption using <a href="../veracrypt/index.html">Veracrypt's hidden volumes</a>:</p>
@ -91,83 +85,43 @@
<p>In theory it is impossible to prove the existence of the hidden volume by itself once it is closed, <b>and if there is no proof of it's existence our deniability is maintained.</b> </p>
<p>But the issue is that we have more variables that we also need to keep under control, on the Host OS side you have <b>system logs, kernel logs</b>, the various other <b>non-standard log files</b> that software is writing on the disk, and even <b>the content of the RAM itself</b> can be used to prove the existence of a hidden volume.</p>
<img src="3.png" class="imgRz">
<p>Now when you are using your computer for regular public, private and anonymous activities, normally you don't need to care about those things. But the Host OS is a potential goldmine of forensic evidence to be used against you, <b>so for sensitive use specifically we need to take care of it.</b></p>
<p>Now when you are using your computer for regular public, private and anonymous activities, normally you don't need to care about those things. But the Host OS is a potential goldmine of forensic evidence to be used against you if the device were to be seized, <b>so for sensitive use specifically we need to take care of it.</b></p>
<p>Now you could start to manually erase all logs, all kernel logs, all non-standard system logs, manually overwrite the RAM contents, but this is going to be way too tedious and you're likely to miss something. So we have one simple solution: <b>use the Host OS in live mode</b>.</p>
<p>Thanks to live mode, <b>we are able to load the entire Host OS in RAM directly</b>, allowing us to avoid writing anything on the system disk (no system logs, no kernel logs, no non-standard logs, <b>only ram contents to worry about</b>)</p>
<p>And since everything is loaded inside the RAM, <b>all we need is to reboot the computer to wipe all of the RAM contents</b>, effectively <b>erase all forensic evidence (and all potential forensic evidence) of the existence of the hidden volume in one simple action.</b></p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<div id="anon1">
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<!-- +++++ Second Post +++++ -->
<div id="anon3">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>Using Live Mode from the System Drive</b></h2> </br> </br>
<p>⚠️ <u>Deniability Disclaimer:</u> <b>This setup is only suitable if the adversary can be told that you are using Kicksecure, with the ram-wipe and grub-live packages, without it being a reason to throw you in jail. Do not proceed if that's the case.</b> ⚠️</p>
<p>⚠️ <u>Deniability Disclaimer:</u> <b>This setup is only suitable if the adversary can be told that you are using Kicksecure, without it being a reason to throw you in jail. Do not proceed if that's the case.</b> ⚠️</p>
<img src="4.png" class="imgRz">
<p>If the adversary won't put you in jail for having Kicksecure on the system drive, you can proceed to install Kickstart's apt repository to have the grub-live and ram-wipe packages:</p>
<p>If you have followed the <a href="../linux/index.html">"How to install Kicksecure as a Host OS"</a> tutorial, you already have the correct base to work on, since the operating system comes with the capability to enter Live mode from the grub boot menu: </p>
<img src="11.png" class="imgRz">
<p>To enter live mode, we simply restart the computer, and select the following boot entry:</p>
<img src="12.png" class="imgRz">
<p>Then as ususal, enter your passphrase to unlock your encrypted system drive:</p>
<img src="../linux/53.png" class="imgRz">
<p>And then once you boot back into your Host OS, you can run <b>lsblk</b> from a terminal to confirm that you are in live mode:</p>
<img src="13.png" class="imgRz">
<pre><code class="nim">
nothing@debian-tests:~$ su -
Password:
root@debian-tests:~# wget https://www.kicksecure.com/keys/derivative.asc
--2024-11-04 07:22:22-- https://www.kicksecure.com/keys/derivative.asc
Resolving www.kicksecure.com (www.kicksecure.com)... 95.216.66.124, 64:ff9b::5fd8:427c
Connecting to www.kicksecure.com (www.kicksecure.com)|95.216.66.124|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 77312 (76K) [application/octet-stream]
Saving to: derivative.asc
derivative.asc 100%[=====================================>] 75.50K --.-KB/s in 0.1s
2024-11-04 07:22:22 (794 KB/s) - derivative.asc saved [77312/77312]
root@debian-tests:~# sudo cp ~/derivative.asc /usr/share/keyrings/derivative.asc
root@debian-tests:~# echo "deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.kicksecure.com bookworm main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list
deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.kicksecure.com bookworm main contrib non-free
root@debian-tests:~# sudo apt-get update -y
Hit:1 http://security.debian.org/debian-security bookworm-security InRelease
Hit:2 http://deb.debian.org/debian bookworm InRelease
Hit:3 http://deb.debian.org/debian bookworm-updates InRelease
Get:4 https://deb.kicksecure.com bookworm InRelease [62.0 kB]
Get:5 https://deb.kicksecure.com bookworm/main amd64 Packages [37.6 kB]
Get:6 https://deb.kicksecure.com bookworm/contrib amd64 Packages [509 B]
Get:7 https://deb.kicksecure.com bookworm/non-free amd64 Packages [917 B]
Fetched 101 kB in 1s (73.7 kB/s)
Reading package lists... Done
</code></pre>
<p>Then we install the grub-live package, and the ram-wipe package <b>(warning, the ram-wipe package may cause your system to fail to boot in case if you encrypted the system drive using LUKS, click <a href="https://www.kicksecure.com/wiki/Ram-wipe">here</a> for more details on this)</b>. Therefore i recommend having the <a href="../linux/index.html">Host OS</a> system drive not encrypted until dracut supports LUKS encryption, but it shouldn't matter though, as the actual VMs that we'll be running will be on a non-system drive, which will be manually kept in <a href="../veracrypt/index.html">deniable encryption</a>.</p>
<pre><code class="nim">
root@debian-tests:~# apt install grub-live ram-wipe -y
[user ~]% lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sr0 11:0 1 1024M 0 rom
vda 253:0 0 200G 0 disk
├─vda1 253:1 0 4G 0 part /boot
└─vda2 253:2 0 196G 0 part
└─luks-24351c83-3657-4142-82d2-8f8a5787f406 254:0 0 196G 0 crypt /live/image
vdb 253:16 0 20G 0 disk
└─vdb1 253:17 0 20G 0 part
</pre></code>
<p>Once that's done, let's take a quick look at the mounted drives using the lsblk command:</p>
<pre><code class="nim">
nothing@debian-tests:~$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sr0 11:0 1 1024M 0 rom
vda 254:0 0 20G 0 disk
<b>├─vda1 254:1 0 19G 0 part /</b>
├─vda2 254:2 0 1K 0 part
└─vda5 254:5 0 975M 0 part [SWAP]
vdb 254:16 0 1G 0 disk
</code></pre>
<p>As you can see here, we are not yet in live mode, so you can see the vda1 system drive mounted in the root directory, meaning that by default everything that is written on the disk by the Host OS is actually being written into the disk, rather than the RAM. So let's reboot to get into live mode:</p>
<pre><code class="nim">
root@debian-tests:~# reboot now
</code></pre>
<p>and then when you reboot your host OS, you should see that there is a new boot option to choose from grub:</p>
<img src="../deniability/7.png" class="imgRz">
<p>So we select it to boot into the OS, and then we're in live mode!</p>
<p>As you can see, <b>the system drive /dev/vda is mounted in the /live/image mountpoint</b>, which confirms that we are now in live mode!</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
@ -177,40 +131,47 @@ root@debian-tests:~# reboot now
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>Using Live Mode from a USB Stick</b></h2> </br> </br>
<p>⚠️ <u>Deniability Disclaimer:</u> <b>This setup is suitable if the adversary cannot be told that you are using Kicksecure, with the ram-wipe and grub-live packages, without it being a reason to throw you in jail.</b> ⚠️</p>
<p>If you are in the usecase where the adversary cannot be told that you are using kicksecure, <b>there is an innocent way of using live mode, by using a usb stick with the debian iso flashed on it</b>:</p>
<img src="7.png" class="imgRz">
<p>In order to have a USB stick with a debian iso flashed on it, we're going to copy the "how to install linux" tutorial i wrote <a href="../linux/index.html">here</a>, except that we're not going to use the netinstall debian iso file, but rather we'll use one of the <a href="https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/">"debian-live"</a> ISOs :</p>
<img src="8.png" class="imgRz">
<p>Then you can use dd to flash the iso on your usb stick:</p>
<h2><b>Testing Live Mode</b></h2> </br> </br>
<p>The main point of using live mode is that everything you write onto the system disk gets wiped upon reboot, so let's test the following:</p>
<img src="14.png" class="imgRz">
<p>We'll write the Test A.txt file into the system drive, and the Test B.txt file in a non-system drive:</p>
<pre><code class="nim">
nihilist@mainpc:~$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
[...]
sdc 8:32 1 14.6G 0 disk
└─sdc1 8:33 1 14.6G 0 part /media/nihilist/024F-D7E6
[...]
[user ~]% vim /home/user/TestA.txt
[user ~]% cat /home/user/TestA.txt
this is Test A: this file should no longer exist upon rebooting.
(because it sits on the system drive, while in livemode, meaning it's loaded in RAM)
nihilist@mainpc:~$ umount /media/nihilist/024F-D7E6
[user ~]% sudo mkdir /mnt/externaldisk
[user ~]% sudo mount /dev/vdb1 /mnt/externaldisk
nihilist@mainpc:~$ sudo dd bs=4M if=debian-live-12.8.0-amd64-cinnamon.iso of=/dev/sdc status=progress oflag=sync
3384803328 bytes (3.4 GB, 3.2 GiB) copied, 165 s, 20.5 MB/s
810+1 records in
810+1 records out
3399122944 bytes (3.4 GB, 3.2 GiB) copied, 165.953 s, 20.5 MB/s
[user ~]% sudo vim /mnt/externaldisk/TestB.txt
[user ~]% cat /mnt/externaldisk/TestB.txt
This is test B: the file should remain after rebooting, because it sits on a non-system drive
</code></pre>
<p><b>The test will pass if upon rebooting, if TestA.txt no longer exists, and TestB.txt still does, because one sits on the system drive, and not the other.</b> So let's reboot the host OS to test that:</p>
<pre><code class="nim">
[user ~]% sudo reboot now
</code></pre>
<img src="15.png" class="imgRz">
<img src="../linux/53.png" class="imgRz">
<p>And once booted in we check if TestA.txt has indeed disappeared, and if TestB.txt is still there:</p>
<img src="" class="imgRz">
<pre><code class="nim">
[user ~]% cat TestA.txt
cat: TestA.txt: No such file or directory
[user ~]% mount /dev/vdb1 /mnt/externaldisk
[user ~]% sudo mkdir /mnt/externaldisk
[user ~]% sudo mount /dev/vdb1 /mnt/externaldisk
[user ~]% cat /mnt/externaldisk/TestB.txt
This is test B: the file should remain after rebooting, because it sits on a non-system drive
</code></pre>
<p>And that's it! We have now validated that the TestA.txt file that was on the system drive while on live mode no longer exists after rebooting, and that the TestB.txt file on the non-system drive still exists, which validates that live mode works as intended.</p>
</pre></code>
<p>once you have the USB stick with debian on it, simply plug it in your computer, reboot your computer, and then boot on the usb stick after entering the BIOS/UEFI:</p>
<img src="../linux/18.png" class="imgRz">
<img src="../linux/19.png" class="imgRz">
<img src="../linux/20.png" class="imgRz">
<img src="../linux/21.png" class="imgRz">
<p>Next, select the usb key and then you can boot on it by choosing the <b>"Live system" option:</b> </p>
<img src="9.png" class="imgRz">
<img src="10.png" class="imgRz">
<p>And here as you can see we successfully entered livemode by booting into debian from the usb key directly, and we are able to see the other drives that are on the computer, without writing any data on them.</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
@ -222,183 +183,57 @@ nihilist@mainpc:~$ sudo dd bs=4M if=debian-live-12.8.0-amd64-cinnamon.iso of=/de
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>Testing Live Mode</b></h2> </br> </br>
<p>now we're back into the host OS in live mode, let's first open a terminal and validate that we are in live mode by running lsblk:</p>
<h2><b>Wiping RAM upon reboots</b></h2> </br> </br>
<p>Now to make sure that the data doesn't sit in the memory sticks when the computer is rebooting (meaning to prevent cold-boot attacks), we make sure that the RAM gets wiped upon reboot, thanks to Kicksecure's <a href="https://www.kicksecure.com/wiki/Ram-wipe">ram-wipe</a> package:</p>
<pre><code class="nim">
nothing@debian-tests:~$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sr0 11:0 1 1024M 0 rom
vda 254:0 0 20G 0 disk
<b>├─vda1 254:1 0 19G 0 part /usr/lib/live/mount/medium
│ /usr/lib/live/mount/rootfs/filesystem
│ /run/live/medium
│ /run/live/rootfs/filesystem</b>
├─vda2 254:2 0 1K 0 part
└─vda5 254:5 0 975M 0 part [SWAP]
vdb 254:16 0 1G 0 disk
</code></pre>
<p>Here you can see that we have the <b>/dev/vda1 system drive</b> mounted under the <b>/run/live</b> and <b>/usr/lib/live</b> directories, so basically now everything that is normally being written into the system disk (like system logs, kernel logs, non-standard logs, and every other file) <b>is instead being written into the RAM, and not writing on the system disk at all.</b> </p>
<p>To test this, we'll create a file in the system drive:</p>
<pre><code class="nim">
nothing@debian-tests:~$ vim test.txt
nothing@debian-tests:~$ cat test.txt
THis has been written in the system disk vda1 from live mode !
</code></pre>
<p>and then we will create a file in the <b>non-system drive /dev/vdb</b> (which contains a <a href="../veracrypt/index.html">veracrypt</a> hidden volume):</p>
<img src="1.png" class="imgRz">
<pre><code class="nim">
nothing@debian-tests:~$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sr0 11:0 1 1024M 0 rom
vda 254:0 0 20G 0 disk
├─vda1 254:1 0 19G 0 part /usr/lib/live/mount/medium
│ /usr/lib/live/mount/rootfs/filesystem
│ /run/live/medium
│ /run/live/rootfs/filesystem
├─vda2 254:2 0 1K 0 part
└─vda5 254:5 0 975M 0 part [SWAP]
<b>vdb 254:16 0 1G 0 disk
└─veracrypt1 253:0 0 499.9M 0 dm /media/veracrypt1</b>
[user ~]% sudo apt install ram-wipe -y
nothing@debian-tests:~$ cd /media/veracrypt1/
nothing@debian-tests:/media/veracrypt1$ ls
lost+found
nothing@debian-tests:/media/veracrypt1$ vim test2.txt
nothing@debian-tests:/media/veracrypt1$ cat test2.txt
this is a test file written from live mode, into a non-system drive!
</code></pre>
<p>Then we simply reboot into the system-drive host OS in regular non-live mode to check if our first test file on the system drive is gone, and if the second test file on the non-system drive has been effectively saved:</p>
<img src="2.png" class="imgRz">
<p>And then we check that the first test file we created in the system drive is effectively not there anymore:</p>
</pre></code>
<p>once installed, upon rebooting you can see it in action:</p>
<pre><code class="nim">
nothing@debian-tests:~$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sr0 11:0 1 1024M 0 rom
vda 254:0 0 20G 0 disk
├─vda1 254:1 0 19G 0 part /
├─vda2 254:2 0 1K 0 part
└─vda5 254:5 0 975M 0 part [SWAP]
vdb 254:16 0 1G 0 disk
└─veracrypt1 253:0 0 499.9M 0 dm /media/veracrypt1
[user ~]% sudo reboot now
nothing@debian-tests:~$ cat test.txt
cat: test.txt: No such file or directory
</code></pre>
<p>And then we check if the file we created in the non-system veracrypt hidden volume is effectively still there:</p>
<pre><code class="nim">
nothing@debian-tests:~$ cat /media/veracrypt1/test2.txt
this is a test file written from live mode, into a non-system drive!
</code></pre>
<p>And that's it ! we have now validated that running the Host OS in live mode could protect our veracrypt hidden volume's existence from being proven, protecting our deniability. </p>
</pre></code>
<img src="16.png" class="imgRz">
<p>Here as you can see the TTY outputs tells us that the RAM contents are being wiped off. It also mentions that it is OK upon the boot sequence when it asks you to unlock your system drive: </p>
<img src="17.png" class="imgRz">
<p>Cold boot attacks (freezing memory sticks to make sure the data remains intact, and then attempting to boot into the OS from the data contained in those ramsticks alone) is a very unlikely attack that could happen when an adversary busts down your door to try and seize your devices:</p>
<img src="../cloud_provider_adversary/7.png" class="imgRz">
<p> But thanks to the ram-wipe mechanism we just implemented, as long as you make the host OS reboot before the adversary manages to put their hands on the computer, you are protecting against that scenario aswell. </p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<div id="anon2">
<!-- +++++ Second Post +++++ -->
<div id="anon2">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>Emergency Shutdown Script</b></h2> </br> </br>
<p>Now in order to make sure we can shutdown the Host OS quickly and fine-tune the shutdown sequence later depending on our needs, we can setup an emergency shutdown script, that can be ran by a non-root user in order to immediately shutdown the Host OS whenever we need it.</p>
<p>⚠️ <u>Deniability Disclaimer:</u> Proceed with the following part <b>in the system-drive outside of live mode, only if you can afford the adversary to see that you have an emergency shutdown script.</b> <u>If that is not an option, you're going to have to do this part manually every time you boot into live mode.</u> (meaning that upon rebooting, there won't be any emergency shutdown script to be found) ⚠️</p>
<p>First we need to make sure the user is able to run the shutdown command:</p>
<h2><b>Emergency Reboot Shortcut</b></h2> </br> </br>
<p>However there's a problem. Right now to reboot you need to click the desktop menu, click log out, and then click restart:</p>
<img src="11.png" class="imgRz">
<p>Obviously, when you have an adversary busting down your door, you don't have time to aim with your mouse and click 3 times to reboot your computer. Therefore, <b>To speed up the process of rebooting, we implement a simple reboot bashscript that we'll trigger using a single keystroke, thanks to a shortcut we configure:</b></p>
<pre><code class="nim">
nothing@debian:~$ su -
Password:
root@debian:~# visudo
[...]
nothing ALL=NOPASSWD:/sbin/shutdown
nothing ALL=NOPASSWD:/sbin/reboot
[...]
</pre></code>
<p>Then we create a simple shutdown.sh script:</p>
<pre><code class="nim">
nothing@debian:~$ vim shutdown.sh
nothing@debian:~$ cat shutdown.sh
[user ~]% vim reboot.sh
[user ~]% cat reboot.sh
#!/bin/bash
/sbin/shutdown -h now
/usr/bin/sudo /usr/sbin/reboot now
nothing@debian:~$ chmod +x shutdown.sh
[user ~]% chmod +x ./reboot.sh
</code></pre>
</pre></code>
<p>Then, you need to hook it up to a shortcut, such as <b>Super+R</b>, i'm going to do it in Cinnamon as this is the Desktop Environment i use:</p>
<img src="5.png" class="imgRz">
<img src="6.png" class="imgRz">
<p>And thats it! you now you have a shortcut that you can use to immediately shutdown the Host OS.</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<div id="anon1">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>Emergency Shutdown Script for live USB users</b></h2> </br> </br>
<p>⚠️ <u>Deniability Disclaimer:</u> Proceed with the following part <b>if you can't afford the adversary to find out that you have an emergency shutdown script.</b> ⚠️</p>
<p>If you are in this usecase, since you're going to have to do this setup at every bootup, you want to speed up the initial setup as much as you can, to help with that i recommend storing your sensitive use scripts on <a href="../anonymousremoteserver/index.html">a non-KYC VPS</a>, because that way, you only have to remember the IP of the VPS, and how to login there:</p>
<p>And we make sure that we can trigger it by pressing a single keystroke (right control):</p>
<pre><code class="nim">
nothing@debian:~$ ssh root@65.109.30.253
root@65.109.30.253's password:
Linux Datura 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64
xfconf-query -c xfce4-keyboard-shortcuts -n -t 'string' -p '/commands/custom/Control_R' -s /home/user/reboot.sh
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
</code></pre>
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Web console: https://localhost.localdomain:9090/ or https://65.109.30.253:9090/
<p>And that's it! <b>Now thanks to that setup, pressing the Right Control key is all you need</b> to reboot your Host OS, to effectively exit live mode, wipe off all the temporary disk writes that have been made on the system drive, AND also wipe off the RAM contents, <b>effectively making sure that there cannot be any trace left of what you were doing, while in live mode.</b></p>
You have mail.
Last login: Sat Nov 30 14:42:04 2024 from 91.90.40.175
[ Datura ] [ /dev/pts/0 ] [~]
→ mkdir sensitive_scripts
[ Datura ] [ /dev/pts/0 ] [~]
→ cd sensitive_scripts
[ Datura ] [ /dev/pts/0 ] [~/sensitive_scripts]
→ vim shutdown.sh
[ Datura ] [ /dev/pts/0 ] [~/sensitive_scripts]
→ cat shutdown.sh
#!/bin/bash
/sbin/shutdown -h now
</pre></code>
<p>The idea being that you manually get your scripts from the VPS upon each boot into live mode, that way you don't need to rewrite them from scratch every time, <b>and especially you are not storing them anywhere locally, where the adversary could find them</b> </p>
<p>To download the script you can simply run a scp command to download your scripts via SSH directly:</p>
<pre><code class="nim">
nothing@debian:~$ scp root@65.109.30.253:/root/sensitive_scripts/shutdown.sh .
root@65.109.30.253's password:
shutdown.sh 100% 35 0.3KB/s 00:00
nothing@debian:~$ cat shutdown.sh
#!/bin/bash
/sbin/shutdown -h now
nothing@debian:~$ chmod +x shutdown.sh
</pre></code>
<p>Now from here onwards, the setup is the as described above, you need to manually configure the shortcut to be able to use the shutdown script.</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->

445
opsec/livemode/old.html Normal file
View file

@ -0,0 +1,445 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="">
<meta name="author" content="">
<link rel="shortcut icon" href="../../../../../../assets/img/favicon.png">
<title>Using the Host-OS in live-mode to prepare for long-term Sensitive Use</title>
<!-- Bootstrap core CSS -->
<link href="../../assets/css/bootstrap.css" rel="stylesheet">
<link href="../../assets/css/xt256.css" rel="stylesheet">
<!-- Custom styles for this template -->
<link href="../../assets/css/main.css" rel="stylesheet">
<!-- HTML5 shim and Respond.js IE8 support of HTML5 elements and media queries -->
<!--[if lt IE 9]>
<script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script>
<script src="https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js"></script>
<![endif]-->
</head>
<body>
<!-- Static navbar -->
<div class="navbar navbar-inverse-anon navbar-static-top">
<div class="container">
<div class="navbar-header">
<button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse">
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand-anon" href="\index.html">The Nihilism Opsec Blog</a>
</div>
<div class="navbar-collapse collapse">
<ul class="nav navbar-nav navbar-right">
<li><a href="/about.html">About</a></li>
<li><a href="/blog.html">Categories</a></li>
<li><a href="/contact.html">Contact</a></li>
</ul>
</div><!--/.nav-collapse -->
</div>
</div>
<!-- +++++ Posts Lists +++++ -->
<!-- +++++ First Post +++++ -->
<div id="anon1">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<a href="../index.html">Previous Page</a></br></br><p><img src="../../assets/img/user.png" width="50px" height="50px"> <ba>nihilist@mainpc - 2024-11-03</ba></p>
<h1>Using the Host-OS in live-mode to prepare for long-term Sensitive Use </h1>
<img src="../deniability/7.png" class="imgRz">
<p><h2><u>OPSEC Recommendations:</u></h2></p>
<ol>
<li><p>Hardware : (Personal Computer / Laptop)</p></li>
<li><p>System Harddrive: not LUKS encrypted <a href="https://www.kicksecure.com/wiki/Ram-wipe">[1]</a></p></li>
<li><p>Non-System Harddrive: 500Gb (will be used to contain our <a href="../veracrypt/index.html">Veracrypt</a> encrypted volumes)</p></li>
<li><p>Host OS: <a href="../linux/index.html">Linux</a></p></li>
<li><p>Hypervisor: <a href="../hypervisorsetup/index.html">QEMU/KVM</a></p></li>
</ol>
<p><img src="../logos/daturagit.png" style="width:100px"> <u>Sidenote:</u> Help us improve this tutorial by letting us know if there's anything missing or incorrect on this <a href="http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/160">git issue</a> directly!</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /grey -->
<!-- +++++ Second Post +++++ -->
<div id="anon2">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>What is the usecase ?</b></h2>
<p>The main usecase of using your Host OS in live mode, is that you want to use it for long term sensitive activities (meaning, you want to save sensitive files on a harddrive). <b>As you're going to see, using the Host OS in live mode is effectively a hard requirement for deniability</b>.</p>
<p>When we are talking sensitive use, we are talking about our need of Deniability. Which means that we need to use deniable encryption using <a href="../veracrypt/index.html">Veracrypt's hidden volumes</a>:</p>
<img src="../deniability/5.png" class="imgRz">
<p>In theory it is impossible to prove the existence of the hidden volume by itself once it is closed, <b>and if there is no proof of it's existence our deniability is maintained.</b> </p>
<p>But the issue is that we have more variables that we also need to keep under control, on the Host OS side you have <b>system logs, kernel logs</b>, the various other <b>non-standard log files</b> that software is writing on the disk, and even <b>the content of the RAM itself</b> can be used to prove the existence of a hidden volume.</p>
<img src="3.png" class="imgRz">
<p>Now when you are using your computer for regular public, private and anonymous activities, normally you don't need to care about those things. But the Host OS is a potential goldmine of forensic evidence to be used against you, <b>so for sensitive use specifically we need to take care of it.</b></p>
<p>Now you could start to manually erase all logs, all kernel logs, all non-standard system logs, manually overwrite the RAM contents, but this is going to be way too tedious and you're likely to miss something. So we have one simple solution: <b>use the Host OS in live mode</b>.</p>
<p>Thanks to live mode, <b>we are able to load the entire Host OS in RAM directly</b>, allowing us to avoid writing anything on the system disk (no system logs, no kernel logs, no non-standard logs, <b>only ram contents to worry about</b>)</p>
<p>And since everything is loaded inside the RAM, <b>all we need is to reboot the computer to wipe all of the RAM contents</b>, effectively <b>erase all forensic evidence (and all potential forensic evidence) of the existence of the hidden volume in one simple action.</b></p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<div id="anon1">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>Using Live Mode from the System Drive</b></h2> </br> </br>
<p>⚠️ <u>Deniability Disclaimer:</u> <b>This setup is only suitable if the adversary can be told that you are using Kicksecure, with the ram-wipe and grub-live packages, without it being a reason to throw you in jail. Do not proceed if that's the case.</b> ⚠️</p>
<img src="4.png" class="imgRz">
<p>If the adversary won't put you in jail for having Kicksecure on the system drive, you can proceed to install Kickstart's apt repository to have the grub-live and ram-wipe packages:</p>
<pre><code class="nim">
nothing@debian-tests:~$ su -
Password:
root@debian-tests:~# wget https://www.kicksecure.com/keys/derivative.asc
--2024-11-04 07:22:22-- https://www.kicksecure.com/keys/derivative.asc
Resolving www.kicksecure.com (www.kicksecure.com)... 95.216.66.124, 64:ff9b::5fd8:427c
Connecting to www.kicksecure.com (www.kicksecure.com)|95.216.66.124|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 77312 (76K) [application/octet-stream]
Saving to: derivative.asc
derivative.asc 100%[=====================================>] 75.50K --.-KB/s in 0.1s
2024-11-04 07:22:22 (794 KB/s) - derivative.asc saved [77312/77312]
root@debian-tests:~# sudo cp ~/derivative.asc /usr/share/keyrings/derivative.asc
root@debian-tests:~# echo "deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.kicksecure.com bookworm main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list
deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.kicksecure.com bookworm main contrib non-free
root@debian-tests:~# sudo apt-get update -y
Hit:1 http://security.debian.org/debian-security bookworm-security InRelease
Hit:2 http://deb.debian.org/debian bookworm InRelease
Hit:3 http://deb.debian.org/debian bookworm-updates InRelease
Get:4 https://deb.kicksecure.com bookworm InRelease [62.0 kB]
Get:5 https://deb.kicksecure.com bookworm/main amd64 Packages [37.6 kB]
Get:6 https://deb.kicksecure.com bookworm/contrib amd64 Packages [509 B]
Get:7 https://deb.kicksecure.com bookworm/non-free amd64 Packages [917 B]
Fetched 101 kB in 1s (73.7 kB/s)
Reading package lists... Done
</code></pre>
<p>Then we install the grub-live package, and the ram-wipe package <b>(warning, the ram-wipe package may cause your system to fail to boot in case if you encrypted the system drive using LUKS, click <a href="https://www.kicksecure.com/wiki/Ram-wipe">here</a> for more details on this)</b>. Therefore i recommend having the <a href="../linux/index.html">Host OS</a> system drive not encrypted until dracut supports LUKS encryption, but it shouldn't matter though, as the actual VMs that we'll be running will be on a non-system drive, which will be manually kept in <a href="../veracrypt/index.html">deniable encryption</a>.</p>
<pre><code class="nim">
root@debian-tests:~# apt install grub-live ram-wipe -y
</pre></code>
<p>Once that's done, let's take a quick look at the mounted drives using the lsblk command:</p>
<pre><code class="nim">
nothing@debian-tests:~$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sr0 11:0 1 1024M 0 rom
vda 254:0 0 20G 0 disk
<b>├─vda1 254:1 0 19G 0 part /</b>
├─vda2 254:2 0 1K 0 part
└─vda5 254:5 0 975M 0 part [SWAP]
vdb 254:16 0 1G 0 disk
</code></pre>
<p>As you can see here, we are not yet in live mode, so you can see the vda1 system drive mounted in the root directory, meaning that by default everything that is written on the disk by the Host OS is actually being written into the disk, rather than the RAM. So let's reboot to get into live mode:</p>
<pre><code class="nim">
root@debian-tests:~# reboot now
</code></pre>
<p>and then when you reboot your host OS, you should see that there is a new boot option to choose from grub:</p>
<img src="../deniability/7.png" class="imgRz">
<p>So we select it to boot into the OS, and then we're in live mode!</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<div id="anon2">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>Using Live Mode from a USB Stick</b></h2> </br> </br>
<p>⚠️ <u>Deniability Disclaimer:</u> <b>This setup is suitable if the adversary cannot be told that you are using Kicksecure, with the ram-wipe and grub-live packages, without it being a reason to throw you in jail.</b> ⚠️</p>
<p>If you are in the usecase where the adversary cannot be told that you are using kicksecure, <b>there is an innocent way of using live mode, by using a usb stick with the debian iso flashed on it</b>:</p>
<img src="7.png" class="imgRz">
<p>In order to have a USB stick with a debian iso flashed on it, we're going to copy the "how to install linux" tutorial i wrote <a href="../linux/index.html">here</a>, except that we're not going to use the netinstall debian iso file, but rather we'll use one of the <a href="https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/">"debian-live"</a> ISOs :</p>
<img src="8.png" class="imgRz">
<p>Then you can use dd to flash the iso on your usb stick:</p>
<pre><code class="nim">
nihilist@mainpc:~$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
[...]
sdc 8:32 1 14.6G 0 disk
└─sdc1 8:33 1 14.6G 0 part /media/nihilist/024F-D7E6
[...]
nihilist@mainpc:~$ umount /media/nihilist/024F-D7E6
nihilist@mainpc:~$ sudo dd bs=4M if=debian-live-12.8.0-amd64-cinnamon.iso of=/dev/sdc status=progress oflag=sync
3384803328 bytes (3.4 GB, 3.2 GiB) copied, 165 s, 20.5 MB/s
810+1 records in
810+1 records out
3399122944 bytes (3.4 GB, 3.2 GiB) copied, 165.953 s, 20.5 MB/s
</pre></code>
<p>once you have the USB stick with debian on it, simply plug it in your computer, reboot your computer, and then boot on the usb stick after entering the BIOS/UEFI:</p>
<img src="../linux/18.png" class="imgRz">
<img src="../linux/19.png" class="imgRz">
<img src="../linux/20.png" class="imgRz">
<img src="../linux/21.png" class="imgRz">
<p>Next, select the usb key and then you can boot on it by choosing the <b>"Live system" option:</b> </p>
<img src="9.png" class="imgRz">
<img src="10.png" class="imgRz">
<p>And here as you can see we successfully entered livemode by booting into debian from the usb key directly, and we are able to see the other drives that are on the computer, without writing any data on them.</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<!-- +++++ Second Post +++++ -->
<div id="anon1">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>Testing Live Mode</b></h2> </br> </br>
<p>now we're back into the host OS in live mode, let's first open a terminal and validate that we are in live mode by running lsblk:</p>
<pre><code class="nim">
nothing@debian-tests:~$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sr0 11:0 1 1024M 0 rom
vda 254:0 0 20G 0 disk
<b>├─vda1 254:1 0 19G 0 part /usr/lib/live/mount/medium
│ /usr/lib/live/mount/rootfs/filesystem
│ /run/live/medium
│ /run/live/rootfs/filesystem</b>
├─vda2 254:2 0 1K 0 part
└─vda5 254:5 0 975M 0 part [SWAP]
vdb 254:16 0 1G 0 disk
</code></pre>
<p>Here you can see that we have the <b>/dev/vda1 system drive</b> mounted under the <b>/run/live</b> and <b>/usr/lib/live</b> directories, so basically now everything that is normally being written into the system disk (like system logs, kernel logs, non-standard logs, and every other file) <b>is instead being written into the RAM, and not writing on the system disk at all.</b> </p>
<p>To test this, we'll create a file in the system drive:</p>
<pre><code class="nim">
nothing@debian-tests:~$ vim test.txt
nothing@debian-tests:~$ cat test.txt
THis has been written in the system disk vda1 from live mode !
</code></pre>
<p>and then we will create a file in the <b>non-system drive /dev/vdb</b> (which contains a <a href="../veracrypt/index.html">veracrypt</a> hidden volume):</p>
<img src="1.png" class="imgRz">
<pre><code class="nim">
nothing@debian-tests:~$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sr0 11:0 1 1024M 0 rom
vda 254:0 0 20G 0 disk
├─vda1 254:1 0 19G 0 part /usr/lib/live/mount/medium
│ /usr/lib/live/mount/rootfs/filesystem
│ /run/live/medium
│ /run/live/rootfs/filesystem
├─vda2 254:2 0 1K 0 part
└─vda5 254:5 0 975M 0 part [SWAP]
<b>vdb 254:16 0 1G 0 disk
└─veracrypt1 253:0 0 499.9M 0 dm /media/veracrypt1</b>
nothing@debian-tests:~$ cd /media/veracrypt1/
nothing@debian-tests:/media/veracrypt1$ ls
lost+found
nothing@debian-tests:/media/veracrypt1$ vim test2.txt
nothing@debian-tests:/media/veracrypt1$ cat test2.txt
this is a test file written from live mode, into a non-system drive!
</code></pre>
<p>Then we simply reboot into the system-drive host OS in regular non-live mode to check if our first test file on the system drive is gone, and if the second test file on the non-system drive has been effectively saved:</p>
<img src="2.png" class="imgRz">
<p>And then we check that the first test file we created in the system drive is effectively not there anymore:</p>
<pre><code class="nim">
nothing@debian-tests:~$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sr0 11:0 1 1024M 0 rom
vda 254:0 0 20G 0 disk
├─vda1 254:1 0 19G 0 part /
├─vda2 254:2 0 1K 0 part
└─vda5 254:5 0 975M 0 part [SWAP]
vdb 254:16 0 1G 0 disk
└─veracrypt1 253:0 0 499.9M 0 dm /media/veracrypt1
nothing@debian-tests:~$ cat test.txt
cat: test.txt: No such file or directory
</code></pre>
<p>And then we check if the file we created in the non-system veracrypt hidden volume is effectively still there:</p>
<pre><code class="nim">
nothing@debian-tests:~$ cat /media/veracrypt1/test2.txt
this is a test file written from live mode, into a non-system drive!
</code></pre>
<p>And that's it ! we have now validated that running the Host OS in live mode could protect our veracrypt hidden volume's existence from being proven, protecting our deniability. </p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<div id="anon2">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>Emergency Shutdown Script</b></h2> </br> </br>
<p>Now in order to make sure we can shutdown the Host OS quickly and fine-tune the shutdown sequence later depending on our needs, we can setup an emergency shutdown script, that can be ran by a non-root user in order to immediately shutdown the Host OS whenever we need it.</p>
<p>⚠️ <u>Deniability Disclaimer:</u> Proceed with the following part <b>in the system-drive outside of live mode, only if you can afford the adversary to see that you have an emergency shutdown script.</b> <u>If that is not an option, you're going to have to do this part manually every time you boot into live mode.</u> (meaning that upon rebooting, there won't be any emergency shutdown script to be found) ⚠️</p>
<p>First we need to make sure the user is able to run the shutdown command:</p>
<pre><code class="nim">
nothing@debian:~$ su -
Password:
root@debian:~# visudo
[...]
nothing ALL=NOPASSWD:/sbin/shutdown
nothing ALL=NOPASSWD:/sbin/reboot
[...]
</pre></code>
<p>Then we create a simple shutdown.sh script:</p>
<pre><code class="nim">
nothing@debian:~$ vim shutdown.sh
nothing@debian:~$ cat shutdown.sh
#!/bin/bash
/sbin/shutdown -h now
nothing@debian:~$ chmod +x shutdown.sh
</pre></code>
<p>Then, you need to hook it up to a shortcut, such as <b>Super+R</b>, i'm going to do it in Cinnamon as this is the Desktop Environment i use:</p>
<img src="5.png" class="imgRz">
<img src="6.png" class="imgRz">
<p>And thats it! you now you have a shortcut that you can use to immediately shutdown the Host OS.</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<div id="anon1">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>Emergency Shutdown Script for live USB users</b></h2> </br> </br>
<p>⚠️ <u>Deniability Disclaimer:</u> Proceed with the following part <b>if you can't afford the adversary to find out that you have an emergency shutdown script.</b> ⚠️</p>
<p>If you are in this usecase, since you're going to have to do this setup at every bootup, you want to speed up the initial setup as much as you can, to help with that i recommend storing your sensitive use scripts on <a href="../anonymousremoteserver/index.html">a non-KYC VPS</a>, because that way, you only have to remember the IP of the VPS, and how to login there:</p>
<pre><code class="nim">
nothing@debian:~$ ssh root@65.109.30.253
root@65.109.30.253's password:
Linux Datura 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Web console: https://localhost.localdomain:9090/ or https://65.109.30.253:9090/
You have mail.
Last login: Sat Nov 30 14:42:04 2024 from 91.90.40.175
[ Datura ] [ /dev/pts/0 ] [~]
→ mkdir sensitive_scripts
[ Datura ] [ /dev/pts/0 ] [~]
→ cd sensitive_scripts
[ Datura ] [ /dev/pts/0 ] [~/sensitive_scripts]
→ vim shutdown.sh
[ Datura ] [ /dev/pts/0 ] [~/sensitive_scripts]
→ cat shutdown.sh
#!/bin/bash
/sbin/shutdown -h now
</pre></code>
<p>The idea being that you manually get your scripts from the VPS upon each boot into live mode, that way you don't need to rewrite them from scratch every time, <b>and especially you are not storing them anywhere locally, where the adversary could find them</b> </p>
<p>To download the script you can simply run a scp command to download your scripts via SSH directly:</p>
<pre><code class="nim">
nothing@debian:~$ scp root@65.109.30.253:/root/sensitive_scripts/shutdown.sh .
root@65.109.30.253's password:
shutdown.sh 100% 35 0.3KB/s 00:00
nothing@debian:~$ cat shutdown.sh
#!/bin/bash
/sbin/shutdown -h now
nothing@debian:~$ chmod +x shutdown.sh
</pre></code>
<p>Now from here onwards, the setup is the as described above, you need to manually configure the shortcut to be able to use the shutdown script.</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<!-- +++++ Footer Section +++++ -->
<div id="anonb">
<div class="container">
<div class="row">
<div class="col-lg-4">
<h4>Nihilism</h4>
<p>
Until there is Nothing left.</p></br></br><p>Creative Commons Zero: <a href="../../../../opsec/runtheblog/index.html">No Rights Reserved</a></br><img src="\CC0.png">
</p>
</div><!-- /col-lg-4 -->
<div class="col-lg-4">
<h4>My Links</h4>
<p>
<a target="_blank" rel="noopener noreferrer" href="http://blog.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/rss/feed.xml">RSS Feed</a><br/><a target="_blank" rel="noopener noreferrer" href="http://nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/simplex.html">SimpleX Chatrooms</a><br/>
</p>
</div><!-- /col-lg-4 -->
<div class="col-lg-4">
<h4>About nihilist</h4>
<p style="word-wrap: break-word;"><u>Donate XMR:</u> 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8</p></br>
</div><!-- /col-lg-4 -->
</div>
</div>
</div>
<!-- Bootstrap core JavaScript
================================================== -->
<!-- Placed at the end of the document so the pages load faster -->
</body>
</html>