oxeo0/blog-contributions
1
0
Fork 0
mirror of http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions.git synced 2025-07-02 11:56:40 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
blog-contributions/opsec/livemode/index.html
nihilist b3730b52b3 new livemode update
2025-04-01 12:26:58 +02:00

281 lines
14 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="">
<meta name="author" content="">
<link rel="shortcut icon" href="../../../../../../assets/img/favicon.png">
<title>Using the Host-OS in live-mode to enable Sensitive Use</title>
<!-- Bootstrap core CSS -->
<link href="../../assets/css/bootstrap.css" rel="stylesheet">
<link href="../../assets/css/xt256.css" rel="stylesheet">
<!-- Custom styles for this template -->
<link href="../../assets/css/main.css" rel="stylesheet">
<!-- HTML5 shim and Respond.js IE8 support of HTML5 elements and media queries -->
<!--[if lt IE 9]>
<script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script>
<script src="https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js"></script>
<![endif]-->
</head>
<body>
<!-- Static navbar -->
<div class="navbar navbar-inverse-anon navbar-static-top">
<div class="container">
<div class="navbar-header">
<button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse">
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand-anon" href="\index.html">The Nihilism Opsec Blog</a>
</div>
<div class="navbar-collapse collapse">
<ul class="nav navbar-nav navbar-right">
<li><a href="/about.html">About</a></li>
<li><a href="/blog.html">Categories</a></li>
<li><a href="/contact.html">Contact</a></li>
</ul>
</div><!--/.nav-collapse -->
</div>
</div>
<!-- +++++ Posts Lists +++++ -->
<!-- +++++ First Post +++++ -->
<div id="anon3">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<a href="../index.html">Previous Page</a></br></br><p><img src="../../assets/img/user.png" width="50px" height="50px"> <ba>nihilist - 01 / 04 / 2025</ba></p>
<h1>Using the Host-OS in live-mode to enable Sensitive Use (April 2024 Update) </h1>
<img src="0.png" class="imgRz">
<p>In this tutorial we're going to cover how to use livemode and ram-wipe from inside Kicksecure to enable long-term Sensitive use.</p>
<p><img src="../logos/daturagit.png" style="width:100px"> <u>Sidenote:</u> Help us improve this tutorial by letting us know if there's anything missing or incorrect on this <a href="http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/160">git issue</a> directly!</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /grey -->
<!-- +++++ Second Post +++++ -->
<div id="anon2">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>What is the usecase ?</b></h2>
<p>The main usecase of using your Host OS in live mode, is that you want to use it for long term sensitive activities (meaning, you want to save sensitive files on a harddrive). <b>As you're going to see, using the Host OS in live mode is effectively a hard requirement for deniability</b>.</p>
<p>When we are talking sensitive use, we are talking about our need of Deniability. Which means that we need to use deniable encryption using <a href="../veracrypt/index.html">Veracrypt's hidden volumes</a>:</p>
<img src="../deniability/5.png" class="imgRz">
<p>In theory it is impossible to prove the existence of the hidden volume by itself once it is closed, <b>and if there is no proof of it's existence our deniability is maintained.</b> </p>
<p>But the issue is that we have more variables that we also need to keep under control, on the Host OS side you have <b>system logs, kernel logs</b>, the various other <b>non-standard log files</b> that software is writing on the disk, and even <b>the content of the RAM itself</b> can be used to prove the existence of a hidden volume.</p>
<img src="3.png" class="imgRz">
<p>Now when you are using your computer for regular public, private and anonymous activities, normally you don't need to care about those things. But the Host OS is a potential goldmine of forensic evidence to be used against you if the device were to be seized, <b>so for sensitive use specifically we need to take care of it.</b></p>
<p>Now you could start to manually erase all logs, all kernel logs, all non-standard system logs, manually overwrite the RAM contents, but this is going to be way too tedious and you're likely to miss something. So we have one simple solution: <b>use the Host OS in live mode</b>.</p>
<p>Thanks to live mode, <b>we are able to load the entire Host OS in RAM directly</b>, allowing us to avoid writing anything on the system disk (no system logs, no kernel logs, no non-standard logs, <b>only ram contents to worry about</b>)</p>
<p>And since everything is loaded inside the RAM, <b>all we need is to reboot the computer to wipe all of the RAM contents</b>, effectively <b>erase all forensic evidence (and all potential forensic evidence) of the existence of the hidden volume in one simple action.</b></p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<!-- +++++ Second Post +++++ -->
<div id="anon3">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>Using Live Mode from the System Drive</b></h2> </br> </br>
<p>⚠️ <u>Deniability Disclaimer:</u> <b>This setup is only suitable if the adversary can be told that you are using Kicksecure, without it being a reason to throw you in jail. Do not proceed if that's the case.</b> ⚠️</p>
<img src="4.png" class="imgRz">
<p>If you have followed the <a href="../linux/index.html">"How to install Kicksecure as a Host OS"</a> tutorial, you already have the correct base to work on, since the operating system comes with the capability to enter Live mode from the grub boot menu: </p>
<img src="11.png" class="imgRz">
<p>To enter live mode, we simply restart the computer, and select the following boot entry:</p>
<img src="12.png" class="imgRz">
<p>Then as ususal, enter your passphrase to unlock your encrypted system drive:</p>
<img src="../linux/53.png" class="imgRz">
<p>And then once you boot back into your Host OS, you can run <b>lsblk</b> from a terminal to confirm that you are in live mode:</p>
<img src="13.png" class="imgRz">
<pre><code class="nim">
[user ~]% lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sr0 11:0 1 1024M 0 rom
vda 253:0 0 200G 0 disk
├─vda1 253:1 0 4G 0 part /boot
└─vda2 253:2 0 196G 0 part
└─luks-24351c83-3657-4142-82d2-8f8a5787f406 254:0 0 196G 0 crypt /live/image
vdb 253:16 0 20G 0 disk
└─vdb1 253:17 0 20G 0 part
</pre></code>
<p>As you can see, <b>the system drive /dev/vda is mounted in the /live/image mountpoint</b>, which confirms that we are now in live mode!</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<div id="anon2">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>Testing Live Mode</b></h2> </br> </br>
<p>The main point of using live mode is that everything you write onto the system disk gets wiped upon reboot, so let's test the following:</p>
<img src="14.png" class="imgRz">
<p>We'll write the Test A.txt file into the system drive, and the Test B.txt file in a non-system drive:</p>
<pre><code class="nim">
[user ~]% vim /home/user/TestA.txt
[user ~]% cat /home/user/TestA.txt
this is Test A: this file should no longer exist upon rebooting.
(because it sits on the system drive, while in livemode, meaning it's loaded in RAM)
[user ~]% sudo mkdir /mnt/externaldisk
[user ~]% sudo mount /dev/vdb1 /mnt/externaldisk
[user ~]% sudo vim /mnt/externaldisk/TestB.txt
[user ~]% cat /mnt/externaldisk/TestB.txt
This is test B: the file should remain after rebooting, because it sits on a non-system drive
</code></pre>
<p><b>The test will pass if upon rebooting, if TestA.txt no longer exists, and TestB.txt still does, because one sits on the system drive, and not the other.</b> So let's reboot the host OS to test that:</p>
<pre><code class="nim">
[user ~]% sudo reboot now
</code></pre>
<img src="15.png" class="imgRz">
<img src="../linux/53.png" class="imgRz">
<p>And once booted in we check if TestA.txt has indeed disappeared, and if TestB.txt is still there:</p>
<img src="" class="imgRz">
<pre><code class="nim">
[user ~]% cat TestA.txt
cat: TestA.txt: No such file or directory
[user ~]% mount /dev/vdb1 /mnt/externaldisk
[user ~]% sudo mkdir /mnt/externaldisk
[user ~]% sudo mount /dev/vdb1 /mnt/externaldisk
[user ~]% cat /mnt/externaldisk/TestB.txt
This is test B: the file should remain after rebooting, because it sits on a non-system drive
</code></pre>
<p>And that's it! We have now validated that the TestA.txt file that was on the system drive while on live mode no longer exists after rebooting, and that the TestB.txt file on the non-system drive still exists, which validates that live mode works as intended.</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<!-- +++++ Second Post +++++ -->
<div id="anon1">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>Wiping RAM upon reboots</b></h2> </br> </br>
<p>Now to make sure that the data doesn't sit in the memory sticks when the computer is rebooting (meaning to prevent cold-boot attacks), we make sure that the RAM gets wiped upon reboot, thanks to Kicksecure's <a href="https://www.kicksecure.com/wiki/Ram-wipe">ram-wipe</a> package:</p>
<pre><code class="nim">
[user ~]% sudo apt install ram-wipe -y
</pre></code>
<p>once installed, upon rebooting you can see it in action:</p>
<pre><code class="nim">
[user ~]% sudo reboot now
</pre></code>
<img src="16.png" class="imgRz">
<p>Here as you can see the TTY outputs tells us that the RAM contents are being wiped off. It also mentions that it is OK upon the boot sequence when it asks you to unlock your system drive: </p>
<img src="17.png" class="imgRz">
<p>Cold boot attacks (freezing memory sticks to make sure the data remains intact, and then attempting to boot into the OS from the data contained in those ramsticks alone) is a very unlikely attack that could happen when an adversary busts down your door to try and seize your devices:</p>
<img src="../cloud_provider_adversary/7.png" class="imgRz">
<p> But thanks to the ram-wipe mechanism we just implemented, as long as you make the host OS reboot before the adversary manages to put their hands on the computer, you are protecting against that scenario aswell. </p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<!-- +++++ Second Post +++++ -->
<div id="anon2">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>Emergency Reboot Shortcut</b></h2> </br> </br>
<p>However there's a problem. Right now to reboot you need to click the desktop menu, click log out, and then click restart:</p>
<img src="11.png" class="imgRz">
<p>Obviously, when you have an adversary busting down your door, you don't have time to aim with your mouse and click 3 times to reboot your computer. Therefore, <b>To speed up the process of rebooting, we implement a simple reboot bashscript that we'll trigger using a single keystroke, thanks to a shortcut we configure:</b></p>
<pre><code class="nim">
[user ~]% vim reboot.sh
[user ~]% cat reboot.sh
#!/bin/bash
/usr/bin/sudo /usr/sbin/reboot now
[user ~]% chmod +x ./reboot.sh
</code></pre>
<p>And we make sure that we can trigger it by pressing a single keystroke (right control):</p>
<pre><code class="nim">
xfconf-query -c xfce4-keyboard-shortcuts -n -t 'string' -p '/commands/custom/Control_R' -s /home/user/reboot.sh
</code></pre>
<p>And that's it! <b>Now thanks to that setup, pressing the Right Control key is all you need</b> to reboot your Host OS, to effectively exit live mode, wipe off all the temporary disk writes that have been made on the system drive, AND also wipe off the RAM contents, <b>effectively making sure that there cannot be any trace left of what you were doing, while in live mode.</b></p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<!-- +++++ Footer Section +++++ -->
<div id="anonb">
<div class="container">
<div class="row">
<div class="col-lg-4">
<h4>Nihilism</h4>
<p>
Until there is Nothing left.</p></br></br><p>Creative Commons Zero: <a href="../../../../opsec/runtheblog/index.html">No Rights Reserved</a></br><img src="\CC0.png">
</p>
</div><!-- /col-lg-4 -->
<div class="col-lg-4">
<h4>My Links</h4>
<p>
<a target="_blank" rel="noopener noreferrer" href="http://blog.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/rss/feed.xml">RSS Feed</a><br/><a target="_blank" rel="noopener noreferrer" href="http://nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/simplex.html">SimpleX Chatrooms</a><br/>
</p>
</div><!-- /col-lg-4 -->
<div class="col-lg-4">
<h4>About nihilist</h4>
<p style="word-wrap: break-word;"><u>Donate XMR:</u> 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8</p></br>
</div><!-- /col-lg-4 -->
</div>
</div>
</div>
<!-- Bootstrap core JavaScript
================================================== -->
<!-- Placed at the end of the document so the pages load faster -->
</body>
</html>
Reference in a new issue View git blame Copy permalink