blog-contributions/opsec/sensitivevm/index.html

682 lines
28 KiB
HTML
Raw Normal View History

2024-11-01 21:08:13 +01:00
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="">
<meta name="author" content="">
<link rel="shortcut icon" href="../../../../../../assets/img/favicon.png">
<title>Sensitive use VMs Setup (Whonix VMs in a Veracrypt Hidden Volume)</title>
<!-- Bootstrap core CSS -->
<link href="../../assets/css/bootstrap.css" rel="stylesheet">
<link href="../../assets/css/xt256.css" rel="stylesheet">
<!-- Custom styles for this template -->
<link href="../../assets/css/main.css" rel="stylesheet">
<!-- HTML5 shim and Respond.js IE8 support of HTML5 elements and media queries -->
<!--[if lt IE 9]>
<script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script>
<script src="https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js"></script>
<![endif]-->
</head>
<body>
<!-- Static navbar -->
<div class="navbar navbar-inverse-anon navbar-static-top">
<div class="container">
<div class="navbar-header">
<button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse">
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand-anon" href="\index.html">The Nihilism Blog</a>
</div>
<div class="navbar-collapse collapse">
<ul class="nav navbar-nav navbar-right">
<li><a href="/about.html">About</a></li>
<li><a href="/blog.html">Categories</a></li>
<li><a href="https://blog.nowhere.moe/donate.html">Donate</a></li>
<li><a href="/contact.html">Contact</a></li>
</ul>
</div><!--/.nav-collapse -->
</div>
</div>
<!-- +++++ Posts Lists +++++ -->
<!-- +++++ First Post +++++ -->
<div id="anon2">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<a href="../index.html">Previous Page</a></br></br><p><img src="../../assets/img/user.png" width="50px" height="50px"> <ba>nihilist@mainpc - 2024-10-29</ba></p>
<h1>Sensitive use VMs Setup (Whonix VMs in a Veracrypt Hidden Volume) </h1>
<img src="0.png" class="imgRz">
<p>In this tutorial we're going to cover how to setup Whonix VMs for Sensitive use. This means that our <a href="../opsec4levels/index.html">OPSEC requirement</a> is that <b>we need to be able to deny the existance of the Sensitive Whonix VM if the adversary ever gets access to our laptop.</b> </p>
<p>Now the advantage of this setup, is that it is not going to actually destroy the computer, nor any sensitive data, you can keep using it even after triggering an emergency shutdown. </p>
<p><u>CONTEXT WARNING:</u> this setup is only suitable <b>if you are not going to be thrown in jail for just using Veracrypt.</b>, and if an adversary were to bust down your front door, <b>you need to have at least 5 seconds before he can see your laptop screen.</b></p>
<p><h2><u>OPSEC Recommendations:</u></h2></p>
<ol>
<li><p>Hardware : (Personal Computer / Laptop)</p></li>
2024-11-07 21:16:10 +01:00
<li><p>Host OS: <a href="../linux/index.html">Linux</a>, but in <a href="../livemode/index.html">live mode</a></p></li>
2024-11-01 21:08:13 +01:00
<li><p>Hypervisor: <a href="../hypervisorsetup/index.html">libvirtd QEMU/KVM</a></p></li>
<li><p>Harddrive (HDD): 500GB and encrypted with <a href="../veracrypt/index.html">Veracrypt (with a 250Gb Hidden Volume)</a></p></li>
<li><p>Virtual Machine:<a href="../whonixqemuvms/index.html">Whonix</a></p></li>
</ol>
2024-11-07 21:16:10 +01:00
</div>
2024-11-01 21:08:13 +01:00
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /grey -->
<!-- +++++ Second Post +++++ -->
<div id="anon3">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
2024-11-07 21:16:10 +01:00
<h2><b>Deniability Requirement</b></h2> </br> </br>
<p>First of all as you have seen, the requirement is that we do this setup from the Host OS, in <a href="../livemode/index.html">live mode</a>. That is because we want to make sure that there is no forensic evidence to be saved on the system drive as we have explained <a href="../livemode/index.html">previously.</a> </p>
<img src="../livemode/4.png" class="imgRz">
<p>While in Live mode we can't write anything new on the system disk (such as the system logs, kernel logs, non-standard logs) <b>which can all be potential forensic evidence that the hidden volume exists</b>. Instead, everything is written into RAM, and we can easily erase all of those contents with a simple reboot. While in live mode however, we can write to non-system drives, which is where we will setup a big enough veracrypt volume to store the Whonix VMs that we will use for long-term sensitive use.</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /grey -->
<!-- +++++ Second Post +++++ -->
<div id="anon2">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>How to setup the VMs inside the Hidden Volume</b></h2> </br> </br>
<p>So before we start, make sure you reboot the Host OS to go into live mode:</p>
<img src="../deniability/7.png" class="imgRz">
<p>Then, once in live mode we're going to setup our veracrypt volumes on our 500Gb harddrive:</p>
2024-11-01 21:08:13 +01:00
<img src="2.png" class="imgRz">
<img src="3.png" class="imgRz">
2024-11-05 22:02:04 +01:00
<p>Here we're using a non-system drive, as we want to be able to store our veracrypt hidden volume contents in a persistent manner, accross reboots. (if we were to have the veracrypt volume on the system drive, it would be wiped off upon rebooting since the Host OS is in live mode.)</p>
2024-11-01 21:08:13 +01:00
<img src="4.png" class="imgRz">
<img src="5.png" class="imgRz">
<img src="6.png" class="imgRz">
<img src="7.png" class="imgRz">
<img src="8.png" class="imgRz">
<img src="9.png" class="imgRz">
<img src="10.png" class="imgRz">
<img src="11.png" class="imgRz">
<p>And in our veracrypt outer (decoy) volume, we're going to setup the veracrypt inner (hidden) volume, and set it to be 250Gb big:</p>
<img src="12.png" class="imgRz">
<img src="13.png" class="imgRz">
<img src="14.png" class="imgRz">
<img src="15.png" class="imgRz">
<img src="16.png" class="imgRz">
<img src="17.png" class="imgRz">
<img src="18.png" class="imgRz">
<img src="19.png" class="imgRz">
<img src="20.png" class="imgRz">
<p>Now that the vercarypt volume has been setup, to highlight the mechanism, for the same harddrive, you have 2 passwords. Password A opens up the decoy volume, and Password B (which must remains secret, only to be known by you) opens up the hidden volume:</p>
<img src="21.png" class="imgRz">
<img src="22.png" class="imgRz">
<img src="23.png" class="imgRz">
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
2024-11-07 21:16:10 +01:00
<div id="anon3">
2024-11-01 21:08:13 +01:00
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>Setting up the Hidden Volume</b></h2> </br> </br>
<p>So now let's setup the hidden volume, where we will put the Sensitive Whonix QEMU VMs:</p>
<img src="24.png" class="imgRz">
<p>Then, we're going to download the Whonix VMs and configure them to be used from inside the hidden veracrypt volume: </p>
<img src="25.png" class="imgRz">
<pre><code class="nim">
[ nowhere ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
→ mv ~/Downloads/Whonix-Xfce-17.2.3.7.Intel_AMD64.qcow2.libvirt.xz /mnt/veracrypt1/
[ nowhere ] [ /dev/pts/23 ] []
→ tar -xvf Whonix-Xfce-17.2.3.7.Intel_AMD64.qcow2.libvirt.xz
WHONIX_BINARY_LICENSE_AGREEMENT
WHONIX_DISCLAIMER
Whonix-Gateway-Xfce-17.2.3.7.xml
Whonix-Workstation-Xfce-17.2.3.7.xml
Whonix_external_network-17.2.3.7.xml
Whonix_internal_network-17.2.3.7.xml
Whonix-Gateway-Xfce-17.2.3.7.Intel_AMD64.qcow2
Whonix-Workstation-Xfce-17.2.3.7.Intel_AMD64.qcow2
[ nowhere ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
→ touch WHONIX_BINARY_LICENSE_AGREEMENT_accepted
</pre></code>
<p>next, we simplify the files names:</p>
<pre><code class="nim">
[ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1]
→ mv Whonix-Gateway-Xfce-17.2.3.7.xml Whonix-Gateway.xml
[ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1]
→ mv Whonix-Gateway-Xfce-17.2.3.7.Intel_AMD64.qcow2 Whonix-Gateway.qcow2
[ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1]
→ mv Whonix-Workstation-Xfce-17.2.3.7.xml Whonix-Workstation.xml
[ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1]
→ mv Whonix-Workstation-Xfce-17.2.3.7.Intel_AMD64.qcow2 Whonix-Workstation.qcow2
[ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1]
→ mv Whonix_external_network-17.2.3.7.xml Whonix-external.xml
[ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1]
→ mv Whonix_internal_network-17.2.3.7.xml Whonix-internal.xml
[ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1]
→ ls -l
total 209745392
drwx------ 2 root root 16384 Sep 1 21:24 lost+found
-rwxrwx--x 1 nihilist libvirt 1202 Jan 2 2024 refreshvms.sh
-rwxrwx--- 1 nihilist libvirt 39649 Oct 21 2015 WHONIX_BINARY_LICENSE_AGREEMENT
-rwxrwx--- 1 nihilist libvirt 4185 Oct 21 2015 WHONIX_DISCLAIMER
-rwxrwx--- 1 nihilist libvirt 172 Oct 21 2015 Whonix_external_network-17.2.3.7.xml
-rwxrwx--- 1 nihilist libvirt 107389386752 Nov 1 14:13 Whonix-Gateway.qcow2
-rwxrwx--- 1 nihilist libvirt 3577 Sep 1 22:31 Whonix-Gateway.xml
-rwxrwx--- 1 nihilist libvirt 97 Oct 21 2015 Whonix_internal_network-17.2.3.7.xml
-rwxrwx--- 1 nihilist libvirt 107389386752 Nov 1 14:13 Whonix-Workstation.qcow2
-rwxrwx--- 1 nihilist libvirt 3466 Sep 1 22:30 Whonix-Workstation.xml
</pre></code>
<p>And then we edit the .xml file of the gateway VM to give it 1GB of RAM and mentionning the correct .qcow2 path:</p>
<pre><code class="nim">
[ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1]
→ vim Whonix-Gateway.xml
[ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1]
→ cat Whonix-Gateway.xml | grep emory
<<b></b>memory dumpCore="off" unit="GiB">1<<b></b>/memory>
<<b></b>currentMemory unit="GiB">1<<b></b>/currentMemory>
[ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1]
→ cat Whonix-Gateway.xml | grep qcow2
<<b></b>driver name="qemu" type="qcow2"/>
<<b></b>source file="/mnt/veracrypt1/Whonix-Gateway.qcow2"/>
</pre></code>
<p>And then we do the same for the .xml file of the workstation VM to give it 8GB of RAM and mentionning the correct .qcow2 path aswell:</p>
<pre><code class="nim">
[ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1]
→ vim Whonix-Workstation.xml
[ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1]
→ cat Whonix-Workstation.xml | grep emory
<<b></b>memory dumpCore="off" unit="GiB">8<<b></b>/memory>
<<b></b>currentMemory unit="GiB">8<<b></b>/currentMemory>
[ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1]
→ cat Whonix-Workstation.xml | grep qcow2
<<b></b>driver name="qemu" type="qcow2"/>
<<b></b>source file="/mnt/veracrypt1/Whonix-Workstation.qcow2"/>
</pre></code>
<p>and from here we create <b>script.sh</b> that we put inside the veracrypt hidden volume, we will use it to automatically either import or remove both VMs into virt-manager depending on wether they are already imported or not.</p>
<pre><code class="nim">
[ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1]
→ vim script.sh
[ nowhere ] [ /dev/pts/0 ] [~]
→ cat /mnt/veracrypt1/script.sh
#!/bin/bash
if [ $(virsh -c qemu:///system list --all | grep Whonix | wc -l) -ne 0 ];
then
# if the VMs are imported, remove them:
virsh -c qemu:///system destroy Whonix-Gateway
virsh -c qemu:///system destroy Whonix-Workstation
virsh -c qemu:///system undefine Whonix-Gateway
virsh -c qemu:///system undefine Whonix-Workstation
virsh -c qemu:///system net-destroy Whonix-External
virsh -c qemu:///system net-destroy Whonix-Internal
virsh -c qemu:///system net-undefine Whonix-External
virsh -c qemu:///system net-undefine Whonix-Internal
else
# if the VMs are not imported, import them:
virsh -c qemu:///system net-define /mnt/veracrypt1/Whonix-external.xml
virsh -c qemu:///system net-define /mnt/veracrypt1/Whonix-internal.xml
virsh -c qemu:///system net-autostart Whonix-External
virsh -c qemu:///system net-start Whonix-External
virsh -c qemu:///system net-autostart Whonix-Internal
virsh -c qemu:///system net-start Whonix-Internal
virsh -c qemu:///system define /mnt/veracrypt1/Whonix-Gateway.xml
virsh -c qemu:///system define /mnt/veracrypt1/Whonix-Workstation.xml
fi
</pre></code>
<p>So by default you have your QEMU VMs like so:</p>
<img src="26.png" class="imgRz">
<p>And to run the script to import the VMs you do as follows:</p>
<pre><code class="nim">
[ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1]
→ chmod +x script.sh
[ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1]
→ ./script.sh
Network Whonix-External defined from Whonix-external.xml
Network Whonix-Internal defined from Whonix-internal.xml
Network Whonix-External marked as autostarted
Network Whonix-External started
Network Whonix-Internal marked as autostarted
Network Whonix-Internal started
Domain 'Whonix-Gateway' defined from Whonix-Gateway.xml
Domain 'Whonix-Workstation' defined from Whonix-Workstation.xml
</pre></code>
<p>From there you'll see that the Whonix VMs are imported:</p>
<img src="27.png" class="imgRz">
<p>And now to remove them you can just run the same script again:</p>
<pre><code class="nim">
[ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1]
→ ./script.sh
error: Failed to destroy domain 'Whonix-Gateway'
error: Requested operation is not valid: domain is not running
error: Failed to destroy domain 'Whonix-Workstation'
error: Requested operation is not valid: domain is not running
Domain 'Whonix-Gateway' has been undefined
Domain 'Whonix-Workstation' has been undefined
Network Whonix-External destroyed
Network Whonix-Internal destroyed
Network Whonix-External has been undefined
Network Whonix-Internal has been undefined
</pre></code>
<p>And you'll see that the VMs are no longer there:</p>
<img src="26.png" class="imgRz">
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
2024-11-07 21:16:10 +01:00
<div id="anon2">
2024-11-01 21:08:13 +01:00
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>Setting up the Decoy volume</b></h2> </br> </br>
<p>Now that we have setup the hidden volume, let's close it so that we can setup the decoy volume (dont forget to exit the drive from the commandline, otherwise veracrypt will complain that the drive is busy):</p>
<pre><code class="nim">
[ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1]
→ cd ..
[ nowhere ] [ /dev/pts/1 ] [/mnt]
</pre></code>
<p>Now first dismount the hidden volume:</p>
<img src="28.png" class="imgRz">
<p>And then mount the decoy volume:</p>
<img src="21.png" class="imgRz">
<p>In the decoy volume, we want content that makes sense to be kept hidden in an encrypted volume while still not being considered as sensitive (meaning nothing that can get you into trouble like adult content, or movies that you pirated):</p>
<pre><code class="nim">
[ nowhere ] [ /dev/pts/1 ] [/mnt]
→ cd /mnt/veracrypt1
[ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1]
→ ls
lost+found
[ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1]
→ sudo apt install yt-dlp vlc -y
[ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1]
→ yt-dlp https://www.youtube.com/watch\?v\=16efRG5H_Vc
[ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1]
→ yt-dlp https://www.youtube.com/watch\?v\=HmZm8vNHBSU
</code></pre>
<img src="29.png" class="imgRz">
<p>So in this example we're going to pretend we have pirated some movies and got some adult content, that way we have an excuse as to why we have an encrypted veracrypt volume if ever forced by an adversary. We then create the script.sh which will basically be used to kill the media player window:</p>
<pre><code class="nim">
[ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1]
→ vim script.sh
[ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1]
→ chmod +x script.sh
[ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1]
→ cat script.sh
#!/bin/bash
kill -9 $(pidof vlc)
</pre></code>
<p>If ever asked to by an adversary, we'll basically pretend that this script is there to quickly kill the media player window in case if someone were to enter the room while you were watching that not-sensitive-but-private content.</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
2024-11-07 21:16:10 +01:00
<div id="anon3">
2024-11-01 21:08:13 +01:00
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
2024-11-07 21:16:10 +01:00
<h2><b>Emergency shutdown shortcut</b></h2> </br> </br>
<!--<p>Now that we're done setting up both the hidden and the decoy volumes, we're going to setup the script that will launch either of the 2 script.sh scripts we just wrote, on top of also erasing all potential proof that the sensitive VM exists (meaning we erase all logs, all kernel logs, we fill the ram with random content 3 times, and we erase the command history): </p>
2024-11-01 21:08:13 +01:00
<p>First we need to make sure we can run veracrypt commands without requiring to be a sudo user:</p>
<pre><code class="nim">
[ nowhere ] [ /dev/pts/1 ] [/mnt]
→ ls -lash /usr/bin/veracrypt
4.3M -rwxr-xr-x 1 root root 4.3M Sep 8 22:37 /usr/bin/veracrypt
[ nowhere ] [ /dev/pts/1 ] [~]
→ sudo chown root:nihilist /usr/bin/veracrypt
[ nowhere ] [ /dev/pts/1 ] [/mnt]
→ sudo groupadd veracrypt
[sudo] password for nihilist:
[ nowhere ] [ /dev/pts/1 ] [/mnt]
→ sudo usermod -aG veracrypt $(whoami)
[ nowhere ] [ /dev/pts/1 ] [/mnt]
→ zsh
[ nowhere ] [ /dev/pts/1 ] [/mnt]
→ sudo visudo -f /etc/sudoers.d/veracrypt
%veracrypt ALL=(root) NOPASSWD:/usr/bin/veracrypt, /usr/bin/mount, /usr/bin/umount, /usr/bin/uptime
[ nowhere ] [ /dev/pts/1 ] [/mnt]
→ whoami
nihilist
[ nowhere ] [ /dev/pts/1 ] [/mnt]
→ veracrypt -d -f
</pre></code>
<p>Now from there (after a reboot) you wont require sudo passwords to use veracrypt anymore. Next we need to be able to remove all logs without being the root user:</p>
<pre><code class="nim">
[ nowhere ] [ /dev/pts/1 ] [~]
→ sudo setfacl -Rm u:$(whoami):rwX /var/log
[ nowhere ] [ /dev/pts/1 ] [/mnt]
→ rm /var/log/*.log /var/log/*/*.log /var/log/*/*/*.log -rf
[ nowhere ] [ /dev/pts/1 ] [~]
→ sudo setfacl -Rm u:$(whoami):rwX /dev/shm
[ nowhere ] [ /dev/pts/1 ] [/mnt]
→ rm /dev/shm/*.log /dev/shm/*/*.log /dev/shm/*/*/*.log -rf
</pre></code>
<p>Then we need to do the same but to remove all kernel logs:</p>
<pre><code class="nim">
[ nowhere ] [ /dev/pts/1 ] [/mnt]
→ sudo sysctl -w kernel.dmesg_restrict=0
[ nowhere ] [ /dev/pts/1 ] [/mnt]
→ sudo vim /etc/sysctl.d/01-dmesg.conf.txt
[ nowhere ] [ /dev/pts/1 ] [/mnt]
→ cat /etc/sysctl.d/01-dmesg.conf.txt
kernel.dmesg_restrict = 0
[ nowhere ] [ /dev/pts/1 ] [/mnt]
→ sudo chown root:nihilist /usr/bin/dmesg
[ nowhere ] [ /dev/pts/1 ] [/mnt]
→ sudo chmod 750 /usr/bin/dmesg
[ nowhere ] [ /dev/pts/1 ] [/mnt]
→ sudo setcap cap_syslog=ep /usr/bin/dmesg
[ nowhere ] [ /dev/pts/1 ] [/mnt]
→ dmesg -c
</pre></code>
<p>then we kill veracrypt's process to avoid having the veracrypt window display which drive/volume was selected:</p>
<pre><code class="nim">
[ nowhere ] [ /dev/pts/1 ] [/mnt]
→ kill $(pidof veracrypt)
</pre></code>
<p>and then we overwrite the ram contents like so:</p>
<pre><code class="nim">
[ nowhere ] [ /dev/pts/1 ] [/mnt]
→ sudo apt install stress -y
#find how many GBs of ram you have:
[ nowhere ] [ /dev/pts/1 ] [/mnt]
→ free -ght | grep Mem | cut -d ' ' -f 12 | cut -d 'G' -f 1
125
#do a stress test to fill those 125GBs of ram:
[ nowhere ] [ /dev/pts/1 ] [/mnt]
→ stress -m 1 --vm-bytes $(free -ght | grep Mem | cut -d ' ' -f 12 | cut -d 'G' -f 1)G -t 10
stress: info: [2659012] dispatching hogs: 0 cpu, 0 io, 1 vm, 0 hdd
stress: info: [2659012] successful run completed in 11s
</pre></code>
<p>so now we write the wipe.sh script, that we place at the home directory of our user:</p>
<pre><code class="nim">
[ nowhere ] [ /dev/pts/1 ] [~]
→ cd
[ nowhere ] [ /dev/pts/1 ] [~]
→ vim wipe.sh
[ nowhere ] [ /dev/pts/1 ] [~]
→ cat wipe.sh
#!/bin/bash
# run script.sh from inside the veracrypt volume:
/mnt/veracrypt1/script.sh
# close down the veracrypt volume:
/usr/bin/veracrypt -d -f
# remove all system logs:
rm /var/log/*.log /var/log/*/*.log /var/log/*/*/*.log -rf
rm /dev/shm/*.log /dev/shm/*/*.log /dev/shm/*/*/*.log -rf
# remove all kernel logs:
/usr/bin/dmesg -c >/dev/null 2>/dev/null
# kill the veracrypt process:
kill $(pidof veracrypt)
# erase the commandline history:
echo '' > ~/.zsh_history
echo '' > ~/.bash_history
# overwrite the ram contents 3 times:
stress -m 1 --vm-bytes $(free -ght | grep Mem | cut -d ' ' -f 12 | cut -d 'G' -f 1)G -t 10
stress -m 1 --vm-bytes $(free -ght | grep Mem | cut -d ' ' -f 12 | cut -d 'G' -f 1)G -t 10
stress -m 1 --vm-bytes $(free -ght | grep Mem | cut -d ' ' -f 12 | cut -d 'G' -f 1)G -t 10
[ nowhere ] [ /dev/pts/1 ] [~]
→ chmod +x wipe.sh
2024-11-07 21:16:10 +01:00
</pre></code>-->
2024-11-01 21:08:13 +01:00
<p>Now that we're setup, we need to be able to run that script using a shortcut to be ran from our desktop environment, I am currently using Cinnamon, therefore to create a shortcut for cinnamon you do as follows:</p>
<img src="30.png" class="imgRz">
2024-11-07 21:16:10 +01:00
<!--<img src="31.png" class="imgRz">
2024-11-01 21:08:13 +01:00
<img src="32.png" class="imgRz">
<p>So basically from here, if you are not in a QEMU VM, you simply need to hit the shortcut <b>"SUPER+R"</b>.</p>
2024-11-07 21:16:10 +01:00
<p>If you are focused in a QEMU VM, you need to do <b>"Ctrl+Alt"</b> (to focus out of the QEMU VM), and then <b>"SUPER+R"</b> to run the wipe.sh script from the Host OS.</p>-->
2024-11-01 21:08:13 +01:00
<img src="37.png" class="imgRz">
2024-11-17 21:26:32 +01:00
<p>Now we're setting up the shortcut <b>"Super+V"</b> to run the <b>/mnt/veracrypt1/script.sh</b> script just so it is quicker to setup the whonix VMs when inside the veracrypt hidden volume.</p>
2024-11-01 21:08:13 +01:00
<img src="36.png" class="imgRz">
2024-11-17 21:26:32 +01:00
<p> Now in order to shut down the Host OS, as we have explained <a href="../livemode/index.html">previously</a>, we need to have the emergency shutdown bashscript script:</p>
<pre><code class="nim">
nihilist@mainpc:~$ su -
Password:
root@mainpc:~# visudo
[...]
nihilist ALL=NOPASSWD:/sbin/shutdown
[...]
nihilist@mainpc:~$ vim shutdown.sh
nihilist@mainpc:~$ cat shutdown.sh
#!/bin/bash
/sbin/shutdown -h now
nihilist@mainpc:~$ chmod +x shutdown.sh
</pre></code>
<p>However we're going to edit it a bit to run the script.sh, along with closing down the veracrypt volumes before shutting down the Host OS, so we need to edit the shutdown.sh script as follows:</p>
<pre><code class="nim">
nihilist@mainpc:~$ cat shutdown.sh
#!/bin/bash
# run script.sh
/mnt/veracrypt1/script.sh
# unmount veracrypt volumes
/usr/bin/veracrypt -d -f
# kill veracrypt after unmounting
kill $(pidof veracrypt)
# shutdown the host OS
/sbin/shutdown -h now
</pre></code>
<p>Then, we need to make sure that the shutdown.sh script can be ran with the <b>"Super+R"</b> shortcut:</p>
<img src="41.png" class="imgRz">
2024-11-01 21:08:13 +01:00
<p>And we're now all setup! So let's try it out in both scenarios (from the decoy volume, and from the hidden volume):</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<!-- +++++ Second Post +++++ -->
<div id="anon1">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>Decoy Volume Scenario (watching non-sensitive content)</b></h2>
<p>So first we open the veracrypt, and open the decoy volume:</p>
<img src="21.png" class="imgRz">
<img src="22.png" class="imgRz">
<p>Then we open VLC, and we hit "Open file" and browse to our non-sensitive files:</p>
<img src="33.png" class="imgRz">
<img src="34.png" class="imgRz">
2024-11-17 21:26:32 +01:00
<p>Then suddenly someone busts your front door, and you quickly press <b>"Super+R"</b> the VLC window immediately closes, followed by the closure of the veracrypt volume, and in a few seconds you have the Host OS shutting down. And as the Host OS shuts down, all the RAM contents are erased (even though there was nothing sensitive in it this time).</p>
2024-11-01 21:08:13 +01:00
<img src="" class="imgRz">
<p>And that's it ! if the adversary didnt get to your desk by the time you pressed the shortcut, he didnt get to see the content you were playing on your monitor. </p>
<h2><b>Hidden Volume Scenario (using the sensitive VM)</b></h2>
2024-11-07 21:16:10 +01:00
<p>Now to test emergency shutdown on the hidden volume side, we first open the hidden volume:</p>
2024-11-01 21:08:13 +01:00
<img src="23.png" class="imgRz">
<img src="24.png" class="imgRz">
<p>Once the hidden volume is mounted, we hit <b>"Super+V"</b> to quickly setup the whonix VMs:</p>
<img src="38.png" class="imgRz">
2024-11-17 21:26:32 +01:00
<p>And after a while of doing some actual sensitive stuff on the whonix VM you hear your front door being busted down, so you quickly hit <b>"Ctrl+Alt"</b> to focus out of the VM, and then you hit <b>"Super+R"</b> to trigger the emergency shutdown:</p>
<img src="42.png" class="imgRz">
<p>Here it also only takes approximately 4 seconds after pressing <b>"Super+R"</b> to have the VMs removed, the veracrypt volume closed, and your Host OS shutdown, erasing all the forensic evidence regarding the existence of the veracrypt hidden volume and the Sensitive Whonix VM that it contains.</p>
2024-11-01 21:08:13 +01:00
<p>And that's it ! You now have a Sensitive VM ready to be used, and you have implemented the necessary measures to protect the deniability of it's existance, from an adversary.</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<!-- +++++ Second Post +++++ -->
<div id="anon2">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>In what context is there Deniability ?</b></h2>
<p>With this setup, you have deniability the moment that the Host OS finishes shutting down, regarding the existance of the veracrypt hidden volume, and the whonix sensitive VMs that are in it. <b>Meaning that it is impossible for an adversary that seizes your computer to prove the existance of the Whonix Sensitive VMs after the Host OS finished shutting down.</b></p>
2024-11-07 21:16:10 +01:00
<p>Below is all an adversary will be able to see, if he were to seize your laptop after you manage to shut it down:</p>
<img src="40.png" class="imgRz">
2024-11-01 21:08:13 +01:00
<p>Of course, if you are ever forced to, <b>ONLY give your decoy password to the adversary.</b> The existance of the hidden volume, and of the secret password thats used to reveal it must remain a secret at all costs, it must remain known only by you.</p>
<p>If you are ever dragged into court, <b>the judge will appreciate much more if you actually hand over your laptop, and show that you are willing to cooperate with the authorities by providing your password to unlock it</b>, rather than starting to pretend you forgot your password (which can end badly like in <a href="https://lawblog.legalmatch.com/2018/07/23/florida-man-jailed-allegedly-forgetting-password-on-cell-phones/">this court case</a>, where the defendant was found to be in contempt of court, and thrown in jail for 6 months for it). </p>
<p>If ever asked by the authorities on why you used veracrypt in your laptop, you can simply claim that it was to put your stash of adult content in it. Nothing incriminating about it, and it is plausible given that you dont want that laying around on your desktop, due to being of a private matter.</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<!-- +++++ Footer Section +++++ -->
<div id="anonb">
<div class="container">
<div class="row">
<div class="col-lg-4">
<h4>Nihilism</h4>
<p>
2024-11-16 15:54:12 +01:00
Until there is Nothing left.</p></br></br><p>Creative Commons Zero: <a href="../../../../opsec/runtheblog/index.html">No Rights Reserved</a></br><img src="\CC0.png">
2024-11-01 21:08:13 +01:00
</p>
</div><!-- /col-lg-4 -->
<div class="col-lg-4">
<h4>My Links</h4>
<p>
<a target="_blank" rel="noopener noreferrer" href="http://blog.nowhere.moe/rss/feed.xml">RSS Feed</a><br/><a target="_blank" rel="noopener noreferrer" href="https://simplex.chat/contact#/?v=2-7&smp=smp%3A%2F%2FL5jrGV2L_Bb20Oj0aE4Gn-m5AHet9XdpYDotiqpcpGc%3D%40nowhere.moe%2FH4g7zPbitSLV5tDQ51Yz-R6RgOkMEeCc%23%2F%3Fv%3D1-3%26dh%3DMCowBQYDK2VuAyEAkts5T5AMxHGrZCCg12aeKxWcpXaxbB_XqjrXmcFYlDQ%253D&data=%7B%22type%22%3A%22group%22%2C%22groupLinkId%22%3A%22c3Y-iDaoDCFm6RhptSDOaw%3D%3D%22%7D">SimpleX Chat</a><br/>
</p>
</div><!-- /col-lg-4 -->
<div class="col-lg-4">
<h4>About nihilist</h4>
<p style="word-wrap: break-word;"><u>Donate XMR:</u> 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8</p></br><p><u>Contact:</u> nihilist@contact.nowhere.moe (<a href="https://nowhere.moe/nihilist.pubkey">PGP</a>)</p>
</div><!-- /col-lg-4 -->
</div>
</div>
</div>
<!-- Bootstrap core JavaScript
================================================== -->
<!-- Placed at the end of the document so the pages load faster -->
</body>
</html>