I installed KickSecure on a laptop with 8GB of RAM, installed VirtualBox and VMs (specifically Whonix Gateway and WorkStation) in persistence mode, took a snapshot of the VMs in VirtualBox, and then launched KickSecure in live boot to launch Whonix. But sometimes I get a notification that says “livecheck: the system’s live status has changed.current status:grub-live-semi-persistence-unsafe”. is. Are there traces on SSDs? Also, Are there any risks in forensic analysis? (Veracrypt, external SSD, HDD, USB memory is not used.))
Which filesystems are writeable? To find out, you can left click on the live check icon. It’s the green icon which turns red if writeable filesystems are detected.
Or you could run:
/usr/libexec/helper-scripts/get_writable_fs_lists.sh
That would output all writeable filesystems in the terminal. That’s the same tool that the livecheck systray uses internally.
Development comment:
We might want to move that file to /usr/bin and rename it to make it more easily accessible.
I didn’t see anything in the terminal after running that command. Also, the green icon is not red, and it says "LiveMode Active:yes Persistent Mode Active:no No Changes will be made to disk. "is displayed. I also ran “sudo journalctl --list-boots”, but there was no record of the time I livebooted. Probably safe?
Probably. What I mean by that, if that script shows no writable filesystems, if mount shows no unexpected writeable filesystems (except overlay), then it’s as safe as it can reasonably get. → Security Considerations
That still begs the question why this happens:
To find that out, we probably need to add debug output to livecheck and log it to journalctl --user in a future version.
1 Like
Was implemented. Will be installed by default after version 18.1.1.9 (or above) gets available.
1 Like