[tor-talk] Forensics on Tor

Marcos Eugenio Kehl marcoskehl at hotmail.com
Thu Jan 30 10:15:09 UTC 2014


Thanks by answering.
You are very profissional. 
 
> Date: Thu, 23 Jan 2014 16:12:23 -0700
> From: mirimir at riseup.net
> To: tor-talk at lists.torproject.org
> Subject: Re: [tor-talk] Forensics on Tor
> 
> On 01/23/2014 09:04 AM, Marcos Eugenio Kehl wrote:
> 
> > Hey experts! Reading about Tails and Whonix, I learnd that Whonix 
> > is for virtual machines and Tails don't. 
> > https://www.whonix.org/wiki/Comparison_with_Others
> 
> You can run the Tails ISO as a VM. But then there will be traces left on
> the host machine, just as with Whonix.
> 
> > The questions are:
> 
> Many ;)
> 
> > 1. What kind of metadata could remain on Windows 8 when running Tails
> > and Whonix on virtual machine (VMWare and VirtualBox)? Should I
> > inquire the developers?
> 
> All sorts of data (not just metadata) will remain from VirtualBox or
> VMware running Tails or Whonix. I don't use Windows, but I've seen much
> positive feedback about PrivaZer on
> <https://www.wilderssecurity.com/showthread.php?p=2253089>.
> 
> Even with the best cleaner, I wouldn't run VMs on Windows with any
> expectation of privacy. Only a year or so ago, shellbags were not common
> knowledge. Only the forensic community and hard-core black hat types
> knew about them. It's arguable that many similar features in Windows
> remain undocumented.
> 
> > If no metadata remains, the fact virtual machine provides us another
> > IP and mac adress, would not be safer?
> 
> Getting a new public IP address from Tor helps a lot. You also get a new
> MAC address for the VMs, and it's easy to permanently change a VM's MAC
> address using the VirtualBox/VMware configuration GUI.
> 
> You also get a new browser signature. If you use multiple VMs, each can
> have its own signature, which prevents association of activity among
> them via fingerprinting.
> 
> > 2. Should we disable or block by firewall my antivirus when running
> > Tails or Whoinx on virtual machine? 
> 
> No.
> 
> > 3. No metadata remains on the live dvd-rw when running Tails as main
> > boot?
> 
> No. If you're using Tails on a USB flash drive, there's an option for
> persistent storage.
> 
> > 4. No metadata remains when running Tor on Ubuntu? If yes, how can I
> > clean it?
> 
> Data and metadata remain on Ubuntu by default. Given that Linux distros
> are generally open source, it's feasible to identify all such remains,
> and to remove them.
> 
> Even so, I find it far simpler to just use full disk encryption
> (dm-crypt and LUKS) on my VM host machines.
> 
> > 5. "The Tor design doesn't try to protect against an attacker who can
> > see or measure both traffic going into the Tor network and also
> > traffic coming out of the Tor network. That's because if you can see
> > both flows, some simple statistics let you decide whether they match
> > up. That could also be the case if your ISP (or your local network 
> > administrator) and the ISP of the destination server (or the 
> > destination server itself) cooperate to attack you. Tor tries to 
> > protect against traffic analysis, where an attacker tries to learn 
> > whom to investigate, but Tor can't protect against traffic 
> > confirmation (also known as end-to-end correlation), where an 
> > attacker tries to confirm an hypothesis by monitoring the right 
> > locations in the network and then doing the math" The sentence above 
> > means that downloads through Tor are encrypted?
> 
> I'm not sure what you're asking. The text that you quote concerns
> traffic analysis. But you're asking about encryption. Unless your
> connections to Internet sites are end-to-end encrypted, Tor exit relays
> can see what you're downloading. But they don't know your ISP-assigned
> IP address, and so can't determine who you are (unless you reveal that
> by signing in with a traceable account, or whatever).
> 
> If by "encrypted" you mean "hidden", Tor does hide paths taken by
> downloads, unless your apps aren't properly configured for Tor, and leak
> your ISP-assigned IP address through UDP connections, for example.
> 
> > If yes, it means that, even if the entry node and the exit node are
> > compromissed, the attacker can't easily decrypt what I have
> > downloaded?
> 
> They may see that you downloaded stuff, but they can't decrypt anything
> that was protected by end-to-end encryption. You should always use
> SSL/TLS (HTTPS etc) connections via Tor, for example. Connecting via Tor
> with SSH or VPNs also provides end-to-end encryption. For messages,
> always use GnuPG. For chat, use Pidgin with OTR.
> 
> > Cheers!Marcos Kehl (Brasil)
> -- 
> tor-talk mailing list - tor-talk at lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
 		 	   		  


More information about the tor-talk mailing list