In KVM the Live Mode + read-only gave a broom. Without read-only it was a green circle.
VirtualBox do not have read-only. I need to set Immutable. Some sort of snapshot. I do not get the broom when I do that. Because it is not read-only? I read that immutable have to be enabled only when the VM is offline. Do immutable make more traces on the disk than read-only? Immutable will make a snapshot.The Whonix/Kicksecure wiki say that using a snapshot leave less traces than read-only mode is this true for Virtualbox too?
Green circle = the system is running in a state where theoretically no changes made are saved to disk, ever. They are all saved to an in-RAM overlay. However, it is still possible for malware to mount a disk read-write and persist data.
Broom icon = same as green circle, but all disks on the system are “physically” read-only and cannot be mounted read-write, even by malware.
VirtualBox immutable mode = changes are saved to disk, but the virtual disk those changes are saved to is deleted on shutdown. This is bad from an anti-forensics standpoint, as traces of what you did before shutting down may be left on your physical disk even if they are invisible to the VM after a reboot.
Is it possible to get the broom on Virtualbox without using the ISO? This part is unclear. VirtualBox immutable mode + live mode give me the green circle
I see this link is added to the forum. I try to be as clear as possible for others.
I have a question about the steps here Read-Only: Setting Hard Drives to Read-Only 1. Select the disk to write-protect and release it. 2. Then on Type → set it to Immutable.
I did this together with live mode. It gives the green circle. I’m confused because at the end of the guide it says “The process of enabling read-only mode has been completed.” Do read-only mode here also mean a read-only disk that gives the broom?
lsblk shows RO = 0. Read-only is off. This give the green circle and not the broom
Am I right with the modes below?
Immutable mode + live mode = green circle
Immutable mode + write protection like chattr + live mode = green circle but probably working as good as broom
immutable mode + read-only disk + live mode = broom
I need to find a way outside Virtualbox to set the disk as read-only to get the broom?
Hmm, curious. If those instructions don’t work, the wiki should probably be updated. In that event I don’t know if this is possible with VirtualBox.
Yes, it appears so.
No, file and directory attributes can be trivially removed. Additionally, chattr +i’ing most or all files on the filesystem will probably break things horribly even in live mode.
Yes. You could remove “immutable mode” from the equation and still get the broom, if I’m understanding correctly, since it looks like “immutable mode” and “read only” are different things.