[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Forensics on Tor



On 01/23/2014 09:04 AM, Marcos Eugenio Kehl wrote:

> Hey experts! Reading about Tails and Whonix, I learnd that Whonix 
> is for virtual machines and Tails don't. 
> https://www.whonix.org/wiki/Comparison_with_Others

You can run the Tails ISO as a VM. But then there will be traces left on
the host machine, just as with Whonix.

> The questions are:

Many ;)

> 1. What kind of metadata could remain on Windows 8 when running Tails
> and Whonix on virtual machine (VMWare and VirtualBox)? Should I
> inquire the developers?

All sorts of data (not just metadata) will remain from VirtualBox or
VMware running Tails or Whonix. I don't use Windows, but I've seen much
positive feedback about PrivaZer on
<https://www.wilderssecurity.com/showthread.php?p=2253089>.

Even with the best cleaner, I wouldn't run VMs on Windows with any
expectation of privacy. Only a year or so ago, shellbags were not common
knowledge. Only the forensic community and hard-core black hat types
knew about them. It's arguable that many similar features in Windows
remain undocumented.

> If no metadata remains, the fact virtual machine provides us another
> IP and mac adress, would not be safer?

Getting a new public IP address from Tor helps a lot. You also get a new
MAC address for the VMs, and it's easy to permanently change a VM's MAC
address using the VirtualBox/VMware configuration GUI.

You also get a new browser signature. If you use multiple VMs, each can
have its own signature, which prevents association of activity among
them via fingerprinting.

> 2. Should we disable or block by firewall my antivirus when running
> Tails or Whoinx on virtual machine? 

No.

> 3. No metadata remains on the live dvd-rw when running Tails as main
> boot?

No. If you're using Tails on a USB flash drive, there's an option for
persistent storage.

> 4. No metadata remains when running Tor on Ubuntu? If yes, how can I
> clean it?

Data and metadata remain on Ubuntu by default. Given that Linux distros
are generally open source, it's feasible to identify all such remains,
and to remove them.

Even so, I find it far simpler to just use full disk encryption
(dm-crypt and LUKS) on my VM host machines.

> 5. "The Tor design doesn't try to protect against an attacker who can
> see or measure both traffic going into the Tor network and also
> traffic coming out of the Tor network. That's because if you can see
> both flows, some simple statistics let you decide whether they match
> up. That could also be the case if your ISP (or your local network 
> administrator) and the ISP of the destination server (or the 
> destination server itself) cooperate to attack you. Tor tries to 
> protect against traffic analysis, where an attacker tries to learn 
> whom to investigate, but Tor can't protect against traffic 
> confirmation (also known as end-to-end correlation), where an 
> attacker tries to confirm an hypothesis by monitoring the right 
> locations in the network and then doing the math" The sentence above 
> means that downloads through Tor are encrypted?

I'm not sure what you're asking. The text that you quote concerns
traffic analysis. But you're asking about encryption. Unless your
connections to Internet sites are end-to-end encrypted, Tor exit relays
can see what you're downloading. But they don't know your ISP-assigned
IP address, and so can't determine who you are (unless you reveal that
by signing in with a traceable account, or whatever).

If by "encrypted" you mean "hidden", Tor does hide paths taken by
downloads, unless your apps aren't properly configured for Tor, and leak
your ISP-assigned IP address through UDP connections, for example.

> If yes, it means that, even if the entry node and the exit node are
> compromissed, the attacker can't easily decrypt what I have
> downloaded?

They may see that you downloaded stuff, but they can't decrypt anything
that was protected by end-to-end encryption. You should always use
SSL/TLS (HTTPS etc) connections via Tor, for example. Connecting via Tor
with SSH or VPNs also provides end-to-end encryption. For messages,
always use GnuPG. For chat, use Pidgin with OTR.

> Cheers!Marcos Kehl (Brasil)
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk