<p>The main usecase of using your Host OS in live mode, is that you want to use it for long term sensitive activities (meaning, you want to save sensitive files on a harddrive). <b>As you're going to see, using the Host OS in live mode is effectively a hard requirement for deniability</b>.</p>
<p>When we are talking sensitive use, we are talking about our need of Deniability. Which means that we need to use deniable encryption using <ahref="../veracrypt/index.html">Veracrypt's hidden volumes</a>:</p>
<imgsrc="../deniability/5.png"class="imgRz">
<p>In theory it is impossible to prove the existence of the hidden volume by itself once it is closed, <b>and if there is no proof of it's existence our deniability is maintained.</b></p>
<p>But the issue is that we have more variables that we also need to keep under control, on the Host OS side you have <b>system logs, kernel logs</b>, the various other <b>non-standard log files</b> that software is writing on the disk, and even <b>the content of the RAM itself</b> can be used to prove the existence of a hidden volume.</p>
<p>Now when you are using your computer for regular public, private and anonymous activities, normally you don't need to care about those things. But the Host OS is a potential goldmine of forensic evidence to be used against you, <b>so for sensitive use specifically we need to take care of it.</b></p>
<p>Now you could start to manually erase all logs, all kernel logs, all non-standard system logs, manually overwrite the RAM contents, but this is going to be way too tedious and you're likely to miss something. So we have one simple solution: <b>use the Host OS in live mode</b>.</p>
<p>TODO: graph (regular host OS writes on system disk, and has contents in RAM, while live mode host OS does not write on system disk, and has everything in RAM) </p>
<p>Thanks to live mode, <b>we are able to load the entire Host OS in RAM directly</b>, allowing us to avoid writing anything on the system disk (no system logs, no kernel logs, no non-standard logs, <b>only ram contents to worry about</b>)</p>
<p>And since everything is loaded inside the RAM, <b>all we need is to reboot the computer to wipe all of the RAM contents</b>, effectively <b>erase all forensic evidence (and all potential forensic evidence) of the existence of the hidden volume in one simple action.</b></p>
<p>As you can see here, we are not yet in live mode, so you can see the vda1 system drive mounted in the root directory, meaning that by default everything that is written on the disk by the Host OS is actually being written into the disk, rather than the RAM. So let's reboot to get into live mode:</p>
<p>Here you can see that we have the <b>/dev/vda1 system drive</b> mounted under the <b>/run/live</b> and <b>/usr/lib/live</b> directories, so basically now everything that is normally being written into the system disk (like system logs, kernel logs, non-standard logs, and every other file) <b>is instead being written into the RAM, and not writing on the system disk at all.</b></p>
<p>To test this, we'll create a file in the system drive:</p>
<p>Then we simply reboot the host OS into regular non-live mode to check if our first test file on the system drive is gone, and if the second test file on the non-system drive has been effectively saved:</p>
<imgsrc="2.png"class="imgRz">
<imgsrc=""class="imgRz">
<p>And then we check that the first test file we created in the system drive is effectively not there anymore:</p>
this is a test file written from live mode, into a non-system drive!
</code></pre>
<p>And that's it ! we have now validated that running the Host OS in live mode could protect our veracrypt hidden volume's existence from being proven, protecting our deniability. </p>