I posted a discussion earlier this week after installing Whonix for the first time in a while. After discovering that it can now be launched in live mode, I think we should make a clear stance to either encourage the usage of live mode or avoid it altogether.
Without extra clarification, I’m afraid that new users may use Whonix instead of Tails for anti-forensics purposes. This could be dangerous if not configured properly.
Here is what @Karlson mentioned in my earlier post:
This is similar to running tails in a VM, your host may write sensitive information to pagefiles or swap(!), and your hypervisor may leave logs about your Whonix activity, like bootup and shutdown times.
When running live mode, you can configure KVM Whonix’s disk to be read-only and enforced by the hypervisor. If you had an amneisc host OS (like the 2022 HiddenVM project), Whonix is ran read-only mode enforced by the hypervisor, then by theory it should be aforensic because data would only be written to RAM. But I haven’t tried or audited this myself.
Maybe it is actually better to say this is the only way we recommend using it, and YMMV for any other form, including this one.
On the other hand, if people think this live mode is beneficial it could be worth recommending and it would be the first legitimate reason to use Whonix outside of Qubes IMO. However, I am not sure what benefits this live mode would have over the disposable anon-whonix VM in Qubes.
I am extremely unconvinced this should be used for anti-forensic purposes because Whonix still requires a host operating system. When/if Whonix-Host becomes a thing maybe it would make more sense. If anti-forensics is the only real use-case people here want from the live system though, then yes I would recommend a stance against using it.
At this time, disposables should not be relied upon to circumvent local forensics, as they do not run entirely in RAM. For details, see this thread.
Each DispVM uses volatile.img file that is used to create R/W illusion
for its root fs via COW (same mechanism as for any other AppVM based on
a template). This file is located in
/var/lib/qubes/appvms/<name-of-dispvm-template/volatile.img.
Run Type
Qubes DispVM/VM Snapshots
Whonix Live Mode / Non-Live Non-Qubes Host OS
Whonix Live Mode + Live Aforensic Host OS
Whonix Live Mode + Live Aforensic Host OS + Write-protected virtual disk
Malware Persistence
Requires Virtual Machine Escape
Requires Privilige Escalation
Requires Privilige Escalation
Requires Virtual Machine Escape
Forensic Traces
Written to host disk, other logs
Stored in swap and/or logs
None
None
One could also run a DispVM in live mode, but Qubes still keeps some logs concerning DispVM usage. For more information see:: Qubes Disposables
If you’re incredibly paranoid about malware persistence from a VM escape, you could run an OS entirely in RAM (like ParrotOS), keep Whonix on a removable drive, copy Whonix’s disks to the host’s ramdisk, and physically remove the drives containing the host OS and/or Whonix drives every time you use it. But this would be incredibly time consuming and require a lot of RAM.
When/if Whonix-Host becomes a thing maybe it would make more sense.
Prehaps the easiest way to have an aforensic Whonix would be to just use regular Kicksecure as the host OS, and run it in live mode. Without extra configuration this is less secure against attacks on the host OS than Qubes, but is more private.
If anti-forensics is the only real use-case people here want from the live system though, then yes I would recommend a stance against using it.
I personally see live-mode/disposables as an important security feature for any OS.
Yeah that’s exactly what I mean though. If Whonix live mode can’t be relied upon for antiforensics (which I believe is true) then it has no advantage over Qubes disposable VMs, which also can’t be relied upon for antiforensics.
It makes the most sense to me right now to just say we only recommend using Whonix with Qubes, and we only recommend Tails for antiforensics purposes and not Qubes/Whonix.
Edit: I’m not sure if Kicksecure Live is a trustworthy antiforensics OS like you are suggesting, is there documentation on that?