I haven’t got the chance to use live mode on Whonix until recently. I thought it was fun to play around it, abide unwieldy to start up at first.
Just wondering, what is the general consensus on Whonix’s live mode from our community? Surprised to see that nobody brought this up yet, especially when our recommendations haven’t really commented on this feature yet.
All I know is that the Whonix team admitted that they aren’t experts on forensics and are working on ways to test its amnesiac capabilities. It seems like they adapted this feature from Kicksecure’s own live mode.
This is similar to running tails in a VM, your host may write sensitive information to pagefiles or swap(!), and your hypervisor may leave logs about your Whonix activity, like bootup and shutdown times.
When running live mode, you can configure KVM Whonix’s disk to be read-only and enforced by the hypervisor. If you had an amneisc host OS (like the 2022 HiddenVM project), Whonix is ran read-only mode enforced by the hypervisor, then by theory it should be aforensic because data would only be written to RAM. But I haven’t tried or audited this myself.
Tails in a VM was always an obvious no-go but I haven’t considered this comparison somehow. Without the extra-work in enforcing a read-only disk, a lot of users may trust Whonix for anti-forensics far more than they should be.
I’ll make a proposal to clarify this in our recommendations.