blog-contributions/opsec/livemode/index.html

299 lines
15 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="">
<meta name="author" content="">
<link rel="shortcut icon" href="../../../../../../assets/img/favicon.png">
<title>Using the Host-OS in live-mode to prepare for long-term Sensitive Use</title>
<!-- Bootstrap core CSS -->
<link href="../../assets/css/bootstrap.css" rel="stylesheet">
<link href="../../assets/css/xt256.css" rel="stylesheet">
<!-- Custom styles for this template -->
<link href="../../assets/css/main.css" rel="stylesheet">
<!-- HTML5 shim and Respond.js IE8 support of HTML5 elements and media queries -->
<!--[if lt IE 9]>
<script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script>
<script src="https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js"></script>
<![endif]-->
</head>
<body>
<!-- Static navbar -->
<div class="navbar navbar-inverse-anon navbar-static-top">
<div class="container">
<div class="navbar-header">
<button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse">
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand-anon" href="\index.html">The Nihilism Blog</a>
</div>
<div class="navbar-collapse collapse">
<ul class="nav navbar-nav navbar-right">
<li><a href="/about.html">About</a></li>
<li><a href="/blog.html">Categories</a></li>
<li><a href="https://blog.nowhere.moe/donate.html">Donate</a></li>
<li><a href="/contact.html">Contact</a></li>
</ul>
</div><!--/.nav-collapse -->
</div>
</div>
<!-- +++++ Posts Lists +++++ -->
<!-- +++++ First Post +++++ -->
<div id="anon2">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<a href="../index.html">Previous Page</a></br></br><p><img src="../../assets/img/user.png" width="50px" height="50px"> <ba>nihilist@mainpc - 2024-11-03</ba></p>
<h1>Using the Host-OS in live-mode to prepare for long-term Sensitive Use </h1>
<img src="../deniability/7.png" class="imgRz">
<p><h2><u>OPSEC Recommendations:</u></h2></p>
<ol>
<li><p>Hardware : (Personal Computer / Laptop)</p></li>
<li><p>System Harddrive: not LUKS encrypted <a href="https://www.kicksecure.com/wiki/Ram-wipe">[1]</a></p></li>
<li><p>Non-System Harddrive: 500Gb (will be used to contain our <a href="../veracrypt/index.html">Veracrypt</a> encrypted volumes)</p></li>
<li><p>Host OS: <a href="../linux/index.html">Linux</a></p></li>
<li><p>Hypervisor: <a href="../hypervisorsetup/index.html">QEMU/KVM</a></p></li>
</ol>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /grey -->
<!-- +++++ Second Post +++++ -->
<div id="anon3">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>What is the usecase ?</b></h2>
<p>The main usecase of using your Host OS in live mode, is that you want to use it for long term sensitive activities (meaning, you want to save sensitive files on a harddrive). <b>As you're going to see, using the Host OS in live mode is effectively a hard requirement for deniability</b>.</p>
<p>When we are talking sensitive use, we are talking about our need of Deniability. Which means that we need to use deniable encryption using <a href="../veracrypt/index.html">Veracrypt's hidden volumes</a>:</p>
<img src="../deniability/5.png" class="imgRz">
<p>In theory it is impossible to prove the existence of the hidden volume by itself once it is closed, <b>and if there is no proof of it's existence our deniability is maintained.</b> </p>
<p>But the issue is that we have more variables that we also need to keep under control, on the Host OS side you have <b>system logs, kernel logs</b>, the various other <b>non-standard log files</b> that software is writing on the disk, and even <b>the content of the RAM itself</b> can be used to prove the existence of a hidden volume.</p>
<img src="3.png" class="imgRz">
<p>Now when you are using your computer for regular public, private and anonymous activities, normally you don't need to care about those things. But the Host OS is a potential goldmine of forensic evidence to be used against you, <b>so for sensitive use specifically we need to take care of it.</b></p>
<p>Now you could start to manually erase all logs, all kernel logs, all non-standard system logs, manually overwrite the RAM contents, but this is going to be way too tedious and you're likely to miss something. So we have one simple solution: <b>use the Host OS in live mode</b>.</p>
<img src="4.png" class="imgRz">
<p>Thanks to live mode, <b>we are able to load the entire Host OS in RAM directly</b>, allowing us to avoid writing anything on the system disk (no system logs, no kernel logs, no non-standard logs, <b>only ram contents to worry about</b>)</p>
<p>And since everything is loaded inside the RAM, <b>all we need is to reboot the computer to wipe all of the RAM contents</b>, effectively <b>erase all forensic evidence (and all potential forensic evidence) of the existence of the hidden volume in one simple action.</b></p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<div id="anon2">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>Setting up Live Mode</b></h2> </br> </br>
<p>To do so, we need to install Kickstart's apt repository to have the grub-live package:</p>
<pre><code class="nim">
nothing@debian-tests:~$ su -
Password:
root@debian-tests:~# wget https://www.kicksecure.com/keys/derivative.asc
--2024-11-04 07:22:22-- https://www.kicksecure.com/keys/derivative.asc
Resolving www.kicksecure.com (www.kicksecure.com)... 95.216.66.124, 64:ff9b::5fd8:427c
Connecting to www.kicksecure.com (www.kicksecure.com)|95.216.66.124|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 77312 (76K) [application/octet-stream]
Saving to: derivative.asc
derivative.asc 100%[=====================================>] 75.50K --.-KB/s in 0.1s
2024-11-04 07:22:22 (794 KB/s) - derivative.asc saved [77312/77312]
root@debian-tests:~# sudo cp ~/derivative.asc /usr/share/keyrings/derivative.asc
root@debian-tests:~# echo "deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.kicksecure.com bookworm main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list
deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.kicksecure.com bookworm main contrib non-free
root@debian-tests:~# sudo apt-get update -y
Hit:1 http://security.debian.org/debian-security bookworm-security InRelease
Hit:2 http://deb.debian.org/debian bookworm InRelease
Hit:3 http://deb.debian.org/debian bookworm-updates InRelease
Get:4 https://deb.kicksecure.com bookworm InRelease [62.0 kB]
Get:5 https://deb.kicksecure.com bookworm/main amd64 Packages [37.6 kB]
Get:6 https://deb.kicksecure.com bookworm/contrib amd64 Packages [509 B]
Get:7 https://deb.kicksecure.com bookworm/non-free amd64 Packages [917 B]
Fetched 101 kB in 1s (73.7 kB/s)
Reading package lists... Done
</code></pre>
<p>Then we install the grub-live package, and the ram-wipe package <b>(warning, the ram-wipe package may cause your system to fail to boot in case if you encrypted the system drive using LUKS, click <a href="https://www.kicksecure.com/wiki/Ram-wipe">here</a> for more details on this)</b>. Therefore i recommend having the <a href="../linux/index.html">Host OS</a> system drive not encrypted until dracut supports LUKS encryption, but it shouldn't matter though, as the actual VMs that we'll be running will be on a non-system drive, which will be manually kept in <a href="../veracrypt/index.html">deniable encryption</a>.</p>
<pre><code class="nim">
root@debian-tests:~# apt install grub-live ram-wipe -y
</pre></code>
<p>Once that's done, let's take a quick look at the mounted drives using the lsblk command:</p>
<pre><code class="nim">
nothing@debian-tests:~$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sr0 11:0 1 1024M 0 rom
vda 254:0 0 20G 0 disk
<b>├─vda1 254:1 0 19G 0 part /</b>
├─vda2 254:2 0 1K 0 part
└─vda5 254:5 0 975M 0 part [SWAP]
vdb 254:16 0 1G 0 disk
</code></pre>
<p>As you can see here, we are not yet in live mode, so you can see the vda1 system drive mounted in the root directory, meaning that by default everything that is written on the disk by the Host OS is actually being written into the disk, rather than the RAM. So let's reboot to get into live mode:</p>
<pre><code class="nim">
root@debian-tests:~# reboot now
</code></pre>
<p>and then when you reboot your host OS, you should see that there is a new boot option to choose from grub:</p>
<img src="../deniability/7.png" class="imgRz">
<p>So we select it to boot into the OS, and then we're in live mode!</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<!-- +++++ Second Post +++++ -->
<div id="anon1">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>Testing Live Mode</b></h2> </br> </br>
<p>now we're back into the host OS in live mode, let's first open a terminal and validate that we are in live mode by running lsblk:</p>
<pre><code class="nim">
nothing@debian-tests:~$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sr0 11:0 1 1024M 0 rom
vda 254:0 0 20G 0 disk
<b>├─vda1 254:1 0 19G 0 part /usr/lib/live/mount/medium
│ /usr/lib/live/mount/rootfs/filesystem
│ /run/live/medium
│ /run/live/rootfs/filesystem</b>
├─vda2 254:2 0 1K 0 part
└─vda5 254:5 0 975M 0 part [SWAP]
vdb 254:16 0 1G 0 disk
</code></pre>
<p>Here you can see that we have the <b>/dev/vda1 system drive</b> mounted under the <b>/run/live</b> and <b>/usr/lib/live</b> directories, so basically now everything that is normally being written into the system disk (like system logs, kernel logs, non-standard logs, and every other file) <b>is instead being written into the RAM, and not writing on the system disk at all.</b> </p>
<p>To test this, we'll create a file in the system drive:</p>
<pre><code class="nim">
nothing@debian-tests:~$ vim test.txt
nothing@debian-tests:~$ cat test.txt
THis has been written in the system disk vda1 from live mode !
</code></pre>
<p>and then we will create a file in the <b>non-system drive /dev/vdb</b> (which contains a veracrypt hidden volume):</p>
<img src="1.png" class="imgRz">
<pre><code class="nim">
nothing@debian-tests:~$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sr0 11:0 1 1024M 0 rom
vda 254:0 0 20G 0 disk
├─vda1 254:1 0 19G 0 part /usr/lib/live/mount/medium
│ /usr/lib/live/mount/rootfs/filesystem
│ /run/live/medium
│ /run/live/rootfs/filesystem
├─vda2 254:2 0 1K 0 part
└─vda5 254:5 0 975M 0 part [SWAP]
<b>vdb 254:16 0 1G 0 disk
└─veracrypt1 253:0 0 499.9M 0 dm /media/veracrypt1</b>
nothing@debian-tests:~$ cd /media/veracrypt1/
nothing@debian-tests:/media/veracrypt1$ ls
lost+found
nothing@debian-tests:/media/veracrypt1$ vim test2.txt
nothing@debian-tests:/media/veracrypt1$ cat test2.txt
this is a test file written from live mode, into a non-system drive!
</code></pre>
<p>Then we simply reboot the host OS into regular non-live mode to check if our first test file on the system drive is gone, and if the second test file on the non-system drive has been effectively saved:</p>
<img src="2.png" class="imgRz">
<img src="" class="imgRz">
<p>And then we check that the first test file we created in the system drive is effectively not there anymore:</p>
<pre><code class="nim">
nothing@debian-tests:~$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sr0 11:0 1 1024M 0 rom
vda 254:0 0 20G 0 disk
├─vda1 254:1 0 19G 0 part /
├─vda2 254:2 0 1K 0 part
└─vda5 254:5 0 975M 0 part [SWAP]
vdb 254:16 0 1G 0 disk
└─veracrypt1 253:0 0 499.9M 0 dm /media/veracrypt1
nothing@debian-tests:~$ cat test.txt
cat: test.txt: No such file or directory
</code></pre>
<p>And then we check if the file we created in the non-system veracrypt hidden volume is effectively still there:</p>
<pre><code class="nim">
nothing@debian-tests:~$ cat /media/veracrypt1/test2.txt
this is a test file written from live mode, into a non-system drive!
</code></pre>
<p>And that's it ! we have now validated that running the Host OS in live mode could protect our veracrypt hidden volume's existence from being proven, protecting our deniability. </p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<!-- +++++ Footer Section +++++ -->
<div id="anonb">
<div class="container">
<div class="row">
<div class="col-lg-4">
<h4>Nihilism</h4>
<p>
Until there is Nothing left.</p></br></br><p>Creative Commons Zero: <a href="../../../../opsec/runtheblog/index.html">No Rights Reserved</a></br><img src="\CC0.png">
</p>
</div><!-- /col-lg-4 -->
<div class="col-lg-4">
<h4>My Links</h4>
<p>
<a target="_blank" rel="noopener noreferrer" href="http://blog.nowhere.moe/rss/feed.xml">RSS Feed</a><br/><a target="_blank" rel="noopener noreferrer" href="https://simplex.chat/contact#/?v=2-7&smp=smp%3A%2F%2FL5jrGV2L_Bb20Oj0aE4Gn-m5AHet9XdpYDotiqpcpGc%3D%40nowhere.moe%2FH4g7zPbitSLV5tDQ51Yz-R6RgOkMEeCc%23%2F%3Fv%3D1-3%26dh%3DMCowBQYDK2VuAyEAkts5T5AMxHGrZCCg12aeKxWcpXaxbB_XqjrXmcFYlDQ%253D&data=%7B%22type%22%3A%22group%22%2C%22groupLinkId%22%3A%22c3Y-iDaoDCFm6RhptSDOaw%3D%3D%22%7D">SimpleX Chat</a><br/>
</p>
</div><!-- /col-lg-4 -->
<div class="col-lg-4">
<h4>About nihilist</h4>
<p style="word-wrap: break-word;"><u>Donate XMR:</u> 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8</p></br><p><u>Contact:</u> nihilist@contact.nowhere.moe (<a href="https://nowhere.moe/nihilist.pubkey">PGP</a>)</p>
</div><!-- /col-lg-4 -->
</div>
</div>
</div>
<!-- Bootstrap core JavaScript
================================================== -->
<!-- Placed at the end of the document so the pages load faster -->
</body>
</html>