Tails:
Tails is great for this; you have nothing to worry about even if you use an SSD drive. Shut it down and it is all gone as soon as the memory decays.
Whonix:
Note that it’s possible to run Whonix in Live mode leaving no traces when you shut down the VMs, consider reading their documentation here
https://www.whonix.org/wiki/VM_Live_Mode [Archive.org] and here
https://www.whonix.org/wiki/Warning#Whonix_.E2.84.A2_Persistence_vs_Live_vs_Amnesic [Archive.org].
MacOS:
Guest OS:
Revert to a previous snapshot on Virtualbox (or any other VM software you are using) and perform a Trim command on your Mac using Disk Utility by executing a first-aid on the Host OS again as explained at the end of the next section.
Host OS:
Most of the info from this section can also be found at this nice guide
https://github.com/drduh/macOS-Security-and-Privacy-Guide [Archive.org]
Quarantine Database (used by Gatekeeper and XProtect):
MacOS (up to and included Big Sur) keeps a Quarantine SQL Database of all the files you ever downloaded from a Browser. This database is located at ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2.
You can query it yourself by running the following command from terminal: sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 "select * from LSQuarantineEvent"
Obviously, this is a goldmine for forensics and you should disable this:
- Run the following command to clear the database completely: :>~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2
- Run the following command to lock the file and prevent further download history from being written there: sudo chflags schg ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2
Lastly you can also disable Gatekeeper altogether by issuing the following command in terminal:
- sudo spctl --master-disable
Refer to this section of this guide for further information
https://github.com/drduh/macOS-Security-and-Privacy-Guide#gatekeeper-and-xprotect [Archive.org]
In addition to this convenient database, each saved file will also carry detailed file system HFS+/APFS attributes showing for instance when it was downloaded, with what and from where.
You can view these just by opening a terminal and typing mdls filename and xattr -l filename on any downloaded file from any browser.
To remove such attributes, you will have to do it manually from the terminal:
- Run xattr -d com.apple.metadata:kMDItemWhereFroms filename to remove the origin
- You can also just use -dr to do it recursively on a whole folder/disk
- Run xattr -d com.apple.quarantine filename to remove the quarantine reference
- You can also just use -dr to do it recursively on a whole folder/disk
- Verify by running xattr --l filename and there should be no output
(Note that Apple has removed the convenient xattr –c option that would just remove all attributes at once so you will have to do this for each attribute on each file)
These attributes and entries will stick even if you clear your Browser history and this is obviously bad for privacy (right?) and I am not aware of any convenient tool that will deal with those at the moment.
Fortunately, there are some mitigations for avoiding this issue in the first place as these attributes and entries are set by the browsers. So, I tested various browsers (On MacOS Catalina and Big Sur) and here are the results as of the date of this guide:
| Browser | Quarantine DB Entry | Quarantine File Attribute | Origin File Attribute |
|---|
| Safari (Normal) | Yes | Yes | Yes |
| Safari (Private Window) | No | No | No |
| Firefox (Normal) | Yes | Yes | Yes |
| Firefox (Private Window) | No | No | No |
| Chrome (Normal) | Yes | Yes | Yes |
| Chrome (Private Window) | Partial (timestamp only) | No | No |
| Ungoogled-Chromium (Normal) | No | No | No |
| Ungoogled-Chromium (Private Window) | No | No | No |
| Brave (Normal) | Partial (timestamp only) | No | No |
| Brave (Private Window) | Partial (timestamp only) | No | No |
| Brave (Tor Window) | Partial (timestamp only) | No | No |
| Tor Browser | No | No | No |
As you can see for yourself the easiest mitigation is to just use Private Windows. These do not write those origin/quarantine attributes and do not store the entries in the QuarantineEventsV2 database.
Clearing the QuarantineEventsV2 is easy as explained above. Removing the attributes takes some work.
Brave is the only tested browser that will not store those attributes by default in normal operations.
Various Artifacts:
In addition, MacOS keeps various logs of mounted devices, connected devices, known networks, analytics, documents revisions…
See this section of this guide for guidance on where to find and how to delete such artifacts:
https://github.com/drduh/macOS-Security-and-Privacy-Guide#metadata-and-artifacts [Archive.org]
Many of those can be deleted using some various commercial third-party tools but I would personally recommend using the free and well-known Onyx which you can find here:
https://www.titanium-software.fr/en/onyx.html [Archive.org]. Unfortunately, it is closed-source but it is notarized, signed and has been trusted for many years.
Force a Trim operation after cleaning:
- If your file system is APFS, you do not need to worry about Trim, it happens asynchronously as the OS writes data.
- If your file system is HFS+ (or any other than APFS), you could run First Aid on your System Drive from the Disk Utility which should perform a Trim operation in the details (https://support.apple.com/en-us/HT210898 [Archive.org]).
Linux (Qubes OS):
Please consider their guidelines
https://github.com/Qubes-Community/Contents/blob/master/docs/security/security-guidelines.md [Archive.org]
If you are using Whonix on Qubes OS, please consider following some of their guides:
Linux (non-Qubes):
Guest OS:
Revert to a previous snapshot of the Guest VM on Virtualbox (or any other VM software you are using) and perform a trim command on your laptop using fstrim --all. This utility is part of the util-linux package on Debian/Ubuntu and should be installed by default on Fedora. Then switch to the next section.
Host OS:
Normally you should not have traces to clean within the Host OS since you are doing everything from a VM if you follow this guide.
Nevertheless, you might want to clean some logs. Just use this convenient tool:
https://web.archive.org/web/https://github.com/sundowndev/go-covermyass (instructions on the page, to download head to the releases, this repository was recently removed)
After cleaning up, make sure you have the fstrim utility installed (should be by default on Fedora) and part of the util-linux package on Debian/Ubuntu. Then just run fstrim --all on the Host OS. This should be sufficient on SSD drives as explained earlier.
Consider the use of Linux Kernel Guard as an added measure
https://www.whonix.org/wiki/Linux_Kernel_Runtime_Guard_LKRG [Archive.org]
Windows:
Guest OS:
Revert to a previous snapshot on Virtualbox (or any other VM software you are using) and perform a trim command on your Windows using the Optimize as explained in the end of the next section
Host OS:
Now that you had a bunch of activities with your VMs or Host OS, you should take a moment to cover your tracks.
Most of these steps should not be undertaken on the Decoy OS in case of use of plausible deniability. This is because you want to keep decoy/plausible traces of sensible but not secret activities available for your adversary. If everything is clean then you might raise suspicion.
Diagnostic Data and Telemetry:
First let us get rid of any diagnostic data that could still be there:
(Skip this step if you are using Windows 10 AME)
- After each use of your Windows devices, go into Settings, Privacy, Diagnostic & Feedback, and Click Delete.
Then let us re-randomize the MAC addresses of your Virtual Machines and the Bluetooth Address of your Host OS.
- After each shutdown of your Windows VM, change its MAC address for next time by going into Virtualbox > Select the VM > Settings > Network > Advanced > Refresh the MAC address.
- After each use of your Host OS Windows (your VM should not have Bluetooth at all), Go into the Device Manager, Select Bluetooth, Disable Device and Re-Enable device (this will force a randomization of the Bluetooth Address).
Event logs:
Windows Event logs will keep many various pieces of information that could contain traces of your activities such as the devices that were mounted (including Veracrypt NTFS volumes for instance
294), your network connections, app crash information and various errors. It is always best to clean those up regularly. Do not do this on the Decoy OS.
- Start, search for Event Viewer, and launch Event Viewer:
- Go into Windows logs.
- Select and clear all 5 logs using right click.
Veracrypt History:
By default, Veracrypt saves a history of recently mounted volumes and files. You should make sure Veracrypt never saves History. Again, do not do this on the Decoy OS if you are using plausible deniability for the OS. We need to keep the history of mounting the decoy Volume as part of the plausible deniability.
- Launch Veracrypt
- Make sure the “Never saves history” checkbox is checked (this should not be checked on the Decoy OS)
Now you should clean the history within any app that you used including Browser history, Cookies, Saved Passwords, Sessions, and Form History.
Browser History:
- Brave (in case you did not enable cleaning on exit)
- Go into Settings
- Go into Shields
- Go into Clear Browsing Data
- Select Advanced
- Select “All Time”
- Check all the options
- Clear Data
- Tor Browser
- Just close the Browser and everything is cleaned
Wi-Fi History:
Now it is time to clear the history of the Wi-Fi you connect to. Unfortunately, Windows keeps storing a list of past Networks in the registry even if you “forgot” those in the Wi-Fi settings. As far as I know, no utilities clean those yet (BleachBit or PrivaZer for instance) so you will have to do it the manual way:
- Launch Regedit using this tutorial: https://support.microsoft.com/en-us...ndows-10-deab38e6-91d6-e0aa-4b7c-8878d9e07b11 [Archive.org]
- Within Regedit, enter this to the address bar: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles
- There you will see a bunch of folders to the right. Each of those folders is a “Key”. Each of those keys will contain information about your current known Wi-Fi or past networks you used. You can explore them one by one and see the description on the right side.
- Delete all those keys.
Shellbags:
As explained earlier, Shellbags are basically histories of accessed volumes/files on your computer. Remember that shellbags are very good sources of information for forensics
287 and you need to clean those. Especially if you mounted any “hidden volume” anywhere. Again, you should not do this on the Decoy OS.
Extra Tools Cleaning:
After cleaning those previous traces, you should also use third party utilities than can be used to clean various traces. These include the traces of the files/folders you deleted.
Please refer to
Appendix H: Windows Cleaning Tools before continuing.
PrivaZer:
Here are the steps for PrivaZer:
- Download and install PrivaZer from https://privazer.com/en/download.php [Archive.org]
- Run PrivaZer after install
- Do not use their Wizard
- Select Advanced User
- Select Scan in Depth and pick your Target
- Select Everything you want to Scan and push Scan
- Select What you want cleaned (skip the shell bag part since you used the other utility for that)
- You should just skip the free space cleaning part if using an SSD and instead just use the native Windows Optimize function (see below) which should be more than enough. I would only use this on an HDD drive.
- (If you did select Free Space cleaning) Select Clean Options and make sure your type of Storage if well detected (HDD vs SSD).
- (If you did select Free Space cleaning) Within Clean Options (Be careful with this option as it will erase all the free space on the selected partition, especially if you are running the decoy OS. Do not erase the free space or anything else on the second partition as you risk destroying your Hidden OS)
- If you have an SSD drive:
- Secure Overwriting Tab: Personally, I would just pick Normal Deletion + Trim (Trim itself should be enough). Secure Deletion with Trim (1 pass) might be redundant and overkill here if you intend to overwrite the free space anyway.
- Free Space Tab: Personally, and again “just to be sure”, I would select Normal Cleanup which will fill the entire free space with Data. I do not really trust Smart Cleanup as it does not actually fill all the free space of the SSD with Data. But again, I think this is probably not needed and overkill in most cases.
- If you have an HDD drive:
- Secure Overwriting Tab: I would just pick Secure Deletion (1 pass).
- Free Space: I would just pick Smart Cleanup as there is no reason to overwrite sectors without data on an HDD drive.
- Select Clean and Pick your flavor:
- Turbo Cleanup will only do normal deletion (on HDD/SSD) and will not clean free space. It is not secure on an HDD nor an SSD.
- Quick Cleanup will do secure deletion (on HDD) and normal deletion + trim (on SSD) but will not clean free space. I think this is secure enough for SSD but not for HDD.
- Normal Cleanup will do secure deletion (on HDD) and normal deletion + trim (on SSD) and will then clean the whole free space (Smart Cleanup on HDD and Full Cleanup on SSD) and should be secure. I think this option is the best for HDD but completely overkill for SSD.
- Click Clean and wait for cleaning to finish. Could take a while and will fill your whole free space with data.
BleachBit:
Here are the steps for BleachBit:
- Get and install the latest version from BleachBit here https://www.bleachbit.org/download [Archive.org]
- Run BleachBit
- Clean at least everything within those sections:
- Deep Scan
- Windows Defender
- Windows Explorer (including Shellbags)
- System
- Select any other traces you want to remove from their list
- Again, as with the previous utility, I would not clean the free space on an SSD drive because I think the Windows native “optimize” utility is enough (see Below) and that filling up the free space on a trim enabled SSD is just completely overkill and unnecessary.
- Click Clean and wait. This will take a while and will fill your whole free space with data on both HDD and SSD drives.
Force a Trim with Windows Optimize (for SSD drives):
With this Native Windows 10 utility, you can just trigger a Trim on your SSD which should be more than enough to securely clean all deleted files that somehow would have escaped Trim when deleting them.
Just open Windows Explorer, Right Click on your System Drive and click Properties. Select Tools. Click Optimize and then Optimize again. You are done. I think that is probably enough in my opinion.
