Guide to Online Anonymity (by https://anonymousplanet.org/)

Use at your own risk. Please do not take this guide as a definitive truth for everything because it is not.
  • Introduction:
  • Understanding some basics of how some information can lead back to you and how to mitigate some:
    • Your Network:
      • Your IP address:
      • Your DNS and IP requests:
      • Your RFID enabled devices:
      • The Wi-Fis and Bluetooth devices around you:
      • Malicious/Rogue Wi-Fi Access Points:
      • Your Anonymized Tor/VPN traffic:
      • Some Devices can be tracked even when offline:
    • Your Hardware Identifiers:
      • Your IMEI and IMSI (and by extension, your phone number):
      • Your Wi-Fi or Ethernet MAC address:
      • Your Bluetooth MAC address:
    • Your CPU:
    • Your Operating Systems and Apps telemetry services:
    • Your Smart devices in general:
    • Yourself:
      • Your Metadata including your Geo-Location:
      • Your Digital Fingerprint, Footprint, and Online Behavior:
      • Your Clues about your Real Life and OSINT:
      • Your Face, Voice, Biometrics and Pictures:
      • Phishing and Social Engineering:
    • Malware, exploits, and viruses:
      • Malware in your files/documents/e-mails:
      • Malware and Exploits in your apps and services:
      • Malicious USB devices:
      • Malware and backdoors in your Hardware Firmware and Operating System:
    • Your files, documents, pictures, and videos:
      • Properties and Metadata:
      • Watermarking:
      • Pixelized or Blurred Information:
    • Your Crypto currencies transactions:
    • Your Cloud backups/sync services:
    • Your Browser and Device Fingerprints:
    • Local Data Leaks and Forensics:
    • Bad Cryptography:
    • No logging but logging anyway policies:
    • Some Advanced targeted techniques:
    • Some bonus resources:
    • Notes:
  • General Preparations:
    • Picking your route:
      • Timing limitations:
      • Budget/Material limitations:
      • Skills:
      • Adversaries (threats):
    • Steps for all routes:
      • Get an anonymous Phone number:
      • Get a USB key:
      • Find some safe places with decent public Wi-Fi:
    • The TAILS route:
      • Persistent Plausible Deniability using Whonix within TAILS:
    • Steps for all other routes:
      • Get a dedicated laptop for your sensitive activities:
      • Some laptop recommendations:
      • Bios/UEFI/Firmware Settings of your laptop:
      • Physically Tamper protect your laptop:
    • The Whonix route:
      • Picking your Host OS (the OS installed on your laptop):
      • Linux Host OS:
      • MacOS Host OS:
      • Windows Host OS:
      • Virtualbox on your Host OS:
      • Pick your connectivity method:
      • Get an anonymous VPN/Proxy:
      • Whonix:
      • Tor over VPN:
      • Whonix Virtual Machines:
      • Pick your guest workstation Virtual Machine:
      • Linux Virtual Machine (Whonix or Linux):
      • Windows 10 Virtual Machine:
      • Android Virtual Machine:
      • MacOS Virtual Machine:
      • KeepassXC:
      • VPN client installation (cash/Monero paid):
      • (Optional) allowing only the VMs to access the internet while cutting off the Host OS to prevent any leak:
      • Final step:
    • The Qubes Route:
      • Pick your connectivity method:
      • Get an anonymous VPN/Proxy:
      • Installation:
      • Lid Closure Behavior:
      • Connect to a Public Wi-Fi:
      • Update Qubes OS:
      • Hardening Qubes OS:
      • Setup the VPN ProxyVM:
      • Setup a safe Browser within Qube OS (optional but recommended):
      • Setup an Android VM:
      • KeePassXC:
  • Creating your anonymous online identities:
    • Understanding the methods used to prevent anonymity and verify identity:
      • Captchas:
      • Phone verification:
      • E-Mail verification:
      • User details checking:
      • Proof of ID verification:
      • IP Filters:
      • Browser and Device Fingerprinting:
      • Human interaction:
      • User Moderation:
      • Behavioral Analysis:
      • Financial transactions:
      • Sign-in with some platform:
      • Live Face recognition and biometrics (again):
      • Manual reviews:
    • Getting Online:
      • Creating new identities:
      • The Real-Name System:
      • About paid services:
      • Overview:
      • How to share files or chat anonymously:
      • Redacting Documents/Pictures/Videos/Audio safely:
      • Communicating sensitive information to various known organizations:
      • Maintenance tasks:
  • Backing-up your work securely:
    • Offline Backups:
      • Selected Files Backups:
      • Full Disk/System Backups:
    • Online Backups:
      • Files:
      • Information:
    • Synchronizing your files between devices Online:
  • Covering your tracks:
    • Understanding HDD vs SSD:
      • Wear-Leveling.
      • Trim Operations:
      • Garbage Collection:
      • Conclusion:
    • How to securely wipe your whole Laptop/Drives if you want to erase everything:
      • Linux (all versions including Qubes OS):
      • Windows:
      • MacOS:
    • How to securely delete specific files/folders/data on your HDD/SSD and Thumb drives:
      • Windows:
      • Linux (non Qubes OS):
      • Linux (Qubes OS):
      • MacOS:
    • Some additional measures against forensics:
      • Removing Metadata from Files/Documents/Pictures:
      • TAILS:
      • Whonix:
      • MacOS:
      • Linux (Qubes OS):
      • Linux (non-Qubes):
      • Windows:
    • Removing some traces of your identities on search engines and various platforms:
      • Google:
      • Bing:
      • DuckDuckGo:
      • Yandex:
      • Qwant:
      • Yahoo Search:
      • Baidu:
      • Wikipedia:
      • Archive.today:
      • Internet Archive:
  • Some low-tech old-school tricks:
    • Hidden communications in plain sight:
    • How to spot if someone has been searching your stuff:
  • Some last OPSEC thoughts:
  • If you think you got burned:
    • If you have some time:
    • If you have no time:
  • A small final editorial note
 
Last edited by a moderator:

HEISENBERG

Administrator
ADMIN
Joined
Jun 24, 2021
Messages
1,658
Solutions
2
Reaction score
1,789
Points
113
Deals
666

Linux (all versions including Qubes OS):​


System/Internal SSD:​


  • Option A: Check if your BIOS/UEFI has a built-in option to do so and if it does, use the correct option (“ATA/NVMe Secure Erase” or “ATA/NVMe Sanitize”). Do not use wipe with passes on an SSD drive.
  • Option B: See Appendix D: Using System Rescue to securely wipe an SSD drive.
  • Option C: Wipe your disk and re-install Linux with a new full disk encryption to overwrite all sectors with new encrypted data. This method will be very slow compared to Option A and B as it will slowly overwrite your whole SSD. Also note that this might not be the default behavior when using LUKS. You might have to check the option to also encrypt the empty space for this effectively wipe the drive.

Keep in mind all these options need to be applied on the entire physical drive and not on a specific partition/volume. If you do not, wear-leveling mechanisms might prevent this from working properly.


External SSD:​


First please see Appendix K: Considerations for using external SSD drives


Trim should be sufficient in most cases and you could just use the blkdiscard command to force an entire device trim as explained here: https://wiki.archlinux.org/index.php/Solid_state_drive#Trim_an_entire_device [Archive.org]


If your USB controller and USB SSD disk supports Trim and ATA/NVMe secure erase, you could wipe them cautiously using hdparm using the same method as the System Disk above except you will not install Linux on it obviously. Keep in mind tho that this is not recommended (see Considerations above).


If it does not support Trim and/or ATA secure erase, you could (not securely) wipe the drive normally (without passes like an HDD) and re-encrypt it completely using your utility of choice (LUKS or Veracrypt for instance). The full disk decryption and re-encryption process will overwrite the entirety of the SSD disk and should ensure a secure wipe.


Alternatively, you could also (not securely) wipe the disk normally and then fill it completely with pseudorandom data which should also ensure secure deletion (this can be done with BleachBit https://www.bleachbit.org/download/linux [Archive.org] or from the command line using secure-delete using this tutorial https://superuser.com/questions/19326/how-to-wipe-free-disk-space-in-linux [Archive.org]).


Keep in mind all these options need to be applied on the entire physical drive and not on a specific partition/volume. If you do not, wear-leveling mechanisms might prevent this from working properly.


Internal/System HDD:​


  • Option A: Check if your BIOS/UEFI has a built-in option and use them and if it does, use the correct option (Wipe + Passes in the case of an HDD).
  • Option B: See Appendix I: Using ShredOS to securely wipe an HDD drive
  • Option C: Wipe your disk and re-install Linux with a new full disk encryption to overwrite all sectors with new encrypted data. This method will be very slow compared to Option A and B as it will slowly overwrite your whole HDD.

External/Secondary HDD and Thumb Drives:​



I recommend using dd or shred for this purpose.


 

HEISENBERG

Administrator
ADMIN
Joined
Jun 24, 2021
Messages
1,658
Solutions
2
Reaction score
1,789
Points
113
Deals
666

Windows:​


Unfortunately, you will not be able to wipe your Host OS using the Microsoft built-in tools within the settings. This is because your bootloader was modified with Veracrypt and will make the operation fail. In addition, this method would not be effective with an SSD drive.


System/Internal SSD:​


  • Option A: Check if your BIOS/UEFI has a built-in option to do so and if it does, use the correct option (“ATA/NVMe Secure Erase” or “ATA/NVMe Sanitize”). Do not use wipe with passes on an SSD drive.
  • Option B: Check Appendix J: Manufacturer tools for Wiping HDD and SSD drives.
  • Option C: See Appendix D: Using System Rescue to securely wipe an SSD drive.
  • Option D: Wipe your disk and re-install Windows before performing a new full disk encryption (using Veracrypt or Bitlocker) to overwrite all sectors with new encrypted data. This method will be slower compared to Option A and B as it will overwrite your whole SSD.

Keep in mind all these options need to be applied on the entire physical drive and not on a specific partition/volume. If you do not, wear-leveling mechanisms might prevent this from working properly.


External SSD:​


First please see Appendix K: Considerations for using external SSD drives


Use the manufacturer provided tools if possible. Those tools should provide support for safe secure erase or sanitize over USB and are available for most brands: See Appendix J: Manufacturer tools for Wiping HDD and SSD drives.


If you are not sure about the Trim support on your USB disk, (not securely) wipe it normally (simple quick format will do) and then encrypt the disk again using Veracrypt or alternatively Bitlocker. The full disk decryption and re-encryption process will overwrite the entirety of the SSD disk and should ensure a secure wipe.


Alternatively, you could also (not securely) wipe the disk normally and then fill it completely with pseudorandom data which should also ensure secure deletion (this can be done with BleachBit or PrivaZer free space erase options). See Extra Tools Cleaning.


Keep in mind all these options need to be applied on the entire physical drive and not on a specific partition/volume. If you do not, wear-leveling mechanisms might prevent this from working properly.


Internal/System HDD:​



External/Secondary HDD and Thumb Drives:​


 

HEISENBERG

Administrator
ADMIN
Joined
Jun 24, 2021
Messages
1,658
Solutions
2
Reaction score
1,789
Points
113
Deals
666

MacOS:​


System/Internal SSD:​


Unfortunately, the MacOS Recovery disk utility will not be able to perform a secure erase of your SSD drive as stated in Apple documentation https://support.apple.com/en-gb/guide/disk-utility/dskutl14079/mac [Archive.org].


In most cases, if your disk was encrypted with Filevault and you just perform a normal erase, it should be “enough” according to them. It is not according to me so you have no option besides re-installing MacOS again and re-encrypt it with Filevault again after re-installing. This should perform a “crypto erase” by overwriting your previous install and encryption. This method will be quite slow unfortunately.


If you want to do a faster secure erase (or have no time to perform a re-install and re-encryption), you can try using the method described in Appendix D: Using System Rescue to securely wipe an SSD drive.(This will not work on M1 Macs). Be careful tho as this will also erase your recovery partition which is needed to reinstall MacOS.


External SSD:​


First please see Appendix K: Considerations for using external SSD drives


If your USB controller and USB SSD disk supports Trim and ATA secure erase, and if Trim is enabled on the disk by MacOS, you can just wipe the whole disk normally and data should not be recoverable on recent disks.


If you are not sure about Trim support or want more certainty, you can (not securely) wipe it using MacOS disk utility before fully re-encrypting them again using these two tutorials from Apple:



The full disk re-encryption process will overwrite the entirety of the SSD disk and should ensure a secure wipe.


Keep in mind all these options need to be applied on the entire physical drive and not on a specific partition/volume. If you do not, wear-leveling mechanisms might prevent this from working properly.


External HDD and Thumb Drives:​


Follow this tutorial: https://support.apple.com/guide/disk-utility/erase-and-reformat-a-storage-device-dskutl14079/mac [Archive.org] and use the secure erase option from Disk Utility which should work fine on HDD and Thumb drives.
 

HEISENBERG

Administrator
ADMIN
Joined
Jun 24, 2021
Messages
1,658
Solutions
2
Reaction score
1,789
Points
113
Deals
666

How to securely delete specific files/folders/data on your HDD/SSD and Thumb drives:​


The same principles from the previous chapters apply to this one. The same issues arise too.


With an HDD drive, you can securely delete files by just deleting it and then apply one of more “passes” to overwrite the data in question. This can be done with many utilities on all OSes.


With an SSD drive however, again everything becomes a bit complicated because you are never sure anything is really deleted due to wear leveling, reliance on the Trim operation and garbage collection of the drive. An adversary that has the decryption key of your SSD (whether it is LUKS, Filevault 2, Veracrypt or Bitlocker) could unlock your drive and then attempt recovery using classic recovery utilities and could succeed if the data was not trimmed properly. But this is again highly unlikely.


Since the Trim operation is not continuous on most recent hard drive but scheduled, simply forcing a Trim operation should be enough. But again, the only way to be 100% sure a file is securely deleted from your unlocked encrypted SSD is to again overwrite all the free space after deletion of the files in question or to decrypt/re-encrypt the drive. But I think this is overkill and not necessary. A simple disk wide Trim should be sufficient.


Remember tho that no matter the deletion method you use for any file on any medium (HDD drive, SSD, USB Thumb drive). It will probably leave other traces (logs, indexing, shellbags …) within your system and those traces will also need to be cleaned. Also remember that your drives should be fully encrypted and so this is most likely an extra measure. More on that later in the Some additional measures against forensics section.
 

HEISENBERG

Administrator
ADMIN
Joined
Jun 24, 2021
Messages
1,658
Solutions
2
Reaction score
1,789
Points
113
Deals
666

Windows:​


Remember you cannot use Trim at all if you are using Plausible Deniability on an SSD drive against all recommendations.


System/Internal SSD drive:​


At this stage, and just delete the file permanently (empty the recycle bin) and trim/garbage collection will do the rest. This should be sufficient.


If you do not want to wait for the periodic Trim (set to Weekly by default in Windows 10), you could also force a disk wide Trim using the Windows native Optimize tool (see Appendix H: Windows Cleaning Tools).


If data was deleted by some utility (for instance by Virtualbox when reverting a snapshot), you could also issue a disk wide Trim to clean anything remaining using the same Optimize tool.


Just open Windows Explorer, Right Click on your System Drive and click Properties. Select Tools. Click Optimize and then Optimize again to force a Trim. You are done. I think that is probably enough in my opinion.

2021 08 05 11 04

If you want more security and do not trust the Trim operation then you will have no option but to either:


  • Decrypt and re-encrypt (using Veracrypt or Bitlocker) the whole drive to overwrite all free space after data deletion. This will ensure overwriting of all the free space.
  • Trim and then fill up the entire free space of the disk using a utility such as BleachBit or PrivaZer.

Keep in mind all these options need to be applied on the entire physical drive and not on a specific partition/volume. If you do not, wear-leveling mechanisms might prevent this from working properly.


Internal/External HDD or a USB Thumb Drive:​


Please refer to Appendix H: Windows Cleaning Tools and pick a utility before proceeding.


The process is very simple depending on the tool you picked from the Appendix:



In the case of USB thumb drives, consider wiping free space using one of the above utilities after file deletion or wiping them completely using Eraser / KillDisk as instructed previously.


External SSD drive:​


First please see Appendix K: Considerations for using external SSD drives


If Trim is supported and enabled by Windows for your external SSD drive. There should be no issue in securely deleting data normally just with normal delete commands. Additionally, you could also force a Trim using the Windows native Optimize tool (see Appendix H: Windows Cleaning Tools):


Just open Windows Explorer, Right Click on your System Drive and click Properties. Select Tools. Click Optimize and then Optimize again to force a Trim. You are done. I think that is probably enough in my opinion.


If Trim is not supported or you are not sure, you might have to ensure secure data deletion by:


  • Filling up all the free space after any deletion (using BleachBit or PrivaZer for instance).
  • Decrypt and Re-encrypt the disk with a different key after each deletion (using Veracrypt or Bitlocker).

Keep in mind all these options need to be applied on the entire physical drive and not on a specific partition/volume. If you do not, wear-leveling mechanisms might prevent this from working properly.
 

HEISENBERG

Administrator
ADMIN
Joined
Jun 24, 2021
Messages
1,658
Solutions
2
Reaction score
1,789
Points
113
Deals
666

Linux (non Qubes OS):​


System/Internal SSD drive:​


Just permanently delete the file (and empty recycle bin) and it should be unrecoverable due to Trim operations and garbage collection.


If you do not want to wait for the periodic Trim (set to Weekly by default in Ubuntu), you could also force a disk wide Trim by running fstrim --all from a terminal. This will issue an immediate trim and should ensure sufficient security. This utility is part of the util-linux package on Debian/Ubuntu and should be installed by default on Fedora.


If you want more security and do not trust the Trim operation then you will have no option but to either:



Keep in mind all these options need to be applied on the entire physical drive and not on a specific partition/volume. If you do not, wear-leveling mechanisms might prevent this from working properly.


Internal/External HDD drive or a Thumb Drive:​



External SSD drive:​


First please see Appendix K: Considerations for using external SSD drives


If Trim is supported and enabled by your Linux Distribution for your external SSD drive. There should be no issue in securely deleting data normally and just issue an fstrim --all from terminal to trim the drive. This utility is part of the “util-linux” package on Debian/Ubuntu and should be installed by default on Fedora.


If Trim is not supported or you want to be sure, you might have to ensure secure data deletion by filling up the entire free space of the disk using a utility such as:



Keep in mind all these options need to be applied on the entire physical drive and not on a specific partition/volume. If you do not, wear-leveling mechanisms might prevent this from working properly.
 

HEISENBERG

Administrator
ADMIN
Joined
Jun 24, 2021
Messages
1,658
Solutions
2
Reaction score
1,789
Points
113
Deals
666

Linux (Qubes OS):​


System/Internal SSD drive:​


As with other Linux distros, normal deletion and trim should be sufficient on most SSD drives. So just permanently delete the file (and empty any recycle bin) and it should be unrecoverable due to periodic Trim operations and garbage collection.


Please follow this documentation to Trim within Qubes OS: https://github.com/Qubes-Community/Contents/blob/master/docs/configuration/disk-trim.md [Archive.org]


As with other Linux Systems, if you want more security and do not trust the Trim operation then you will have no option but to either:



Keep in mind all these options need to be applied on the entire physical drive and not on a specific partition/volume. If you do not, wear-leveling mechanisms might prevent this from working properly.


Internal/External HDD drive or a Thumb Drive:​


Use the same method as Linux from a Qubes connected to that specific USB device



External SSD drive:​


First please see Appendix K: Considerations for using external SSD drives


If Trim is supported and enabled by your Linux Distribution for your external SSD drive. There should be no issue in securely deleting data normally and just issue an “fstrim –all” from terminal to trim the drive. Refer to this Documentation(https://github.com/Qubes-Community/Contents/blob/master/docs/configuration/disk-trim.md [Archive.org]) to enable trim on a drive.


If Trim is not supported or you want to be sure, you might have to ensure secure data deletion by filling up the entire free space of the disk using a utility from a Qubes connected to the USB device in question:



Repeat these steps on any other partition if there are separate partitions on the same SSD drive before deleting the files.


  • sync ; sleep 60 ; sync
  • rm zero.small.file
  • rm zero.file

Repeat these steps on any other partition if there are separate partitions on the same SSD drive.


Keep in mind all these options need to be applied on the entire physical drive and not on a specific partition/volume. If you do not, wear-leveling mechanisms might prevent this from working properly.
 

HEISENBERG

Administrator
ADMIN
Joined
Jun 24, 2021
Messages
1,658
Solutions
2
Reaction score
1,789
Points
113
Deals
666


System/Internal SSD drive:​


Just permanently delete the file (and empty recycle bin) and it should be unrecoverable due to trim operations and garbage collection.


  • If your file system is APFS, you do not need to worry about Trim, it apparently happens asynchronously as the OS writes data according to their own documentation.

“Does Apple File System support TRIM operations?


Yes. TRIM operations are issued asynchronously from when files are deleted or free space is reclaimed, which ensures that these operations are performed only after metadata changes are persisted to stable storage”.


2021 08 05 11 06


System/Internal, External HDD drive or a Thumb Drive:​


Unfortunately, Apple has removed the secure erase options from the trash bin even for HDD drives. So, you are left with using other tools:



In the case of USB thumb drives, consider wiping them completely using Disk Utility as instructed previously.


External SSD drive:​


First please see Appendix K: Considerations for using external SSD drives


If Trim is supported and enabled by MacOS for your external SSD drive. There should be no issue in securely deleting data.


If Trim is not supported, you might have to ensure secure data deletion by:


  • Filling up all the free space after any deletion using the Linux Method above (dd).
  • Decrypt and Re-encrypt the disk with a different key after each deletion (using Disk Utility or Veracrypt).
 

HEISENBERG

Administrator
ADMIN
Joined
Jun 24, 2021
Messages
1,658
Solutions
2
Reaction score
1,789
Points
113
Deals
666

Some additional measures against forensics:​


Note that the same SSD issue discussed in the previous section will arise here. You can never really be absolutely 100% sure your SSD data is deleted when you ask it to do so unless you wipe the whole drive using specific methods above.


I am not aware of any 100% reliable method to delete single files selectively and securely on SSD drives unless overwriting ALL the free space (which might reduce the lifespan of your SSD) after Deletion + Trim of these files. Without doing that, you will have to trust the SSD Trim operation which in my opinion is enough. It is reasonable and again very unlikely that forensics will be able to restore your files after a Deletion with Trim.


In addition, most of these measures here should not be needed since your whole drive should be encrypted and therefore your data should not be accessible for forensic analysis through SSD/HDD examination anyway. So, these are just “bonus measures” for weak/unskilled adversaries.


Consider also reading this documentation if you’re going with Whonix https://www.whonix.org/wiki/Anti-Forensics_Precautions [Archive.org] as well as their general hardening tutorial for all platforms here https://www.whonix.org/wiki/System_Hardening_Checklist [Archive.org]
 

HEISENBERG

Administrator
ADMIN
Joined
Jun 24, 2021
Messages
1,658
Solutions
2
Reaction score
1,789
Points
113
Deals
666

Removing Metadata from Files/Documents/Pictures:​

Pictures and videos:​

On Windows, MacOS and Linux I would recommend ExifTool(https://exiftool.org/ [Archive.org]) and/or ExifCleaner(https://exifcleaner.com/ [Archive.org]) that allows viewing and/or removing those properties.

ExifTool is natively available on Tails and Whonix Workstation.

ExifCleaner:​

Just install it from https://exifcleaner.com/ [Archive.org], run and drag and drop the files into the GUI.

ExifTool:​

It is actually simple, jut install exiftool and run:

  • To display metadata: exiftool filename.jpg
  • To remove all metadata: exiftool -All= filename.jpg
Remember that ExifTool is natively available on Tails and Whonix Workstation.

Windows Native tool:​

Here is a tutorial to remove metadata from a Picture using OS provided tools: https://www.purevpn.com/internet-privacy/how-to-remove-metadata-from-photos [Archive.org]

Cloaking/Obfuscating to prevent picture recognition:​

Consider the use of Fawkes https://sandlab.cs.uchicago.edu/fawkes/ [Archive.org](https://github.com/Shawn-Shan/fawkes [Archive.org]) to cloak the images from picture recognition tech on various platforms.

Or if you want on-line versions, consider:

PDF Documents:​

PDFParanoia (Linux/Windows/MacOS/QubesOS):​

Consider using https://github.com/kanzure/pdfparanoia [Archive.org] which will remove metadata and watermarks on any PDF.

ExifCleaner (Linux/Windows/MacOS/QubesOS):​

Just install it from https://exifcleaner.com/ [Archive.org], run and drag and drop the files into the GUI.

ExifTool (Linux/Windows/MacOS/QubesOS):​

It is actually simple, jut install exiftool and run:

  • To display metadata: exiftool filename.pdf
  • To remove all metadata: exiftool -All= filename.pdf

MS Office Documents:​

First, here is a tutorial to remove metadata from Office documents: https://support.microsoft.com/en-us...orkbooks-356b7b5d-77af-44fe-a07f-9aa4d085966f [Archive.org]. Make sure however that you do use the latest version of Office with the latest security updates.

Alternatively, on Windows, MacOS, Qubes OS, and Linux I would recommend ExifTool(https://exiftool.org/ [Archive.org]) and/or ExifCleaner(https://exifcleaner.com/ [Archive.org]) that allows viewing and/or removing those properties

ExifCleaner:​

Just install it from https://exifcleaner.com/ [Archive.org], run and drag and drop the files into the GUI.

ExifTool:​

It is actually simple, jut install exiftool and run:

  • To display metadata: exiftool filename.docx
  • To remove all metadata: exiftool -All= filename.docx

LibreOffice Documents:​

Go to Tools > Options > Security and Check:

  • All the warnings
  • Remove Personal information on saving
Alternatively, on Windows, MacOS, Qubes OS, and Linux I would recommend ExifTool(https://exiftool.org/ [Archive.org]) and/or ExifCleaner(https://exifcleaner.com/ [Archive.org]) that allows viewing and/or removing those properties

ExifCleaner:​

Just install it from https://exifcleaner.com/ [Archive.org], run and drag and drop the files into the GUI.

ExifTool:​

It is actually simple, jut install exiftool and run:

  • To display metadata: exiftool filename.odt
  • To remove all metadata: exiftool -All= filename.odt

All-in-one Tool:​

Another option good tool IMHO to remove metadata from various documents is the open-source mat2 recommended by privacytools.io(https://0xacab.org/jvoisin/mat2 [Archive.org]) which you can use on Linux quite easily. I never managed to make it work properly within Windows due various dependencies issues despite the provided instructions. It is however very straightforward to install and use on Linux.

So, I would suggest creating a small Debian VM within Virtualbox (behind your Whonix Gateway) which you can then use from your other VMs to analyze various files from a convenient web interface. For this see Appendix L: Creating a mat2-web guest VM for removing metadata from files

2021 08 05 11 08

Mat2 is also pre-installed on the Whonix Workstation VM and available on Tails by default.
 

HEISENBERG

Administrator
ADMIN
Joined
Jun 24, 2021
Messages
1,658
Solutions
2
Reaction score
1,789
Points
113
Deals
666

Tails:​


Tails is great for this; you have nothing to worry about even if you use an SSD drive. Shut it down and it is all gone as soon as the memory decays.


Whonix:​


Note that it’s possible to run Whonix in Live mode leaving no traces when you shut down the VMs, consider reading their documentation here https://www.whonix.org/wiki/VM_Live_Mode [Archive.org] and here https://www.whonix.org/wiki/Warning#Whonix_.E2.84.A2_Persistence_vs_Live_vs_Amnesic [Archive.org].


MacOS:​


Guest OS:​


Revert to a previous snapshot on Virtualbox (or any other VM software you are using) and perform a Trim command on your Mac using Disk Utility by executing a first-aid on the Host OS again as explained at the end of the next section.


Host OS:​


Most of the info from this section can also be found at this nice guide https://github.com/drduh/macOS-Security-and-Privacy-Guide [Archive.org]


Quarantine Database (used by Gatekeeper and XProtect):​


MacOS (up to and included Big Sur) keeps a Quarantine SQL Database of all the files you ever downloaded from a Browser. This database is located at ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2.


You can query it yourself by running the following command from terminal: sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 "select * from LSQuarantineEvent"


Obviously, this is a goldmine for forensics and you should disable this:


  • Run the following command to clear the database completely: :>~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2
  • Run the following command to lock the file and prevent further download history from being written there: sudo chflags schg ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2

Lastly you can also disable Gatekeeper altogether by issuing the following command in terminal:


  • sudo spctl --master-disable

Refer to this section of this guide for further information https://github.com/drduh/macOS-Security-and-Privacy-Guide#gatekeeper-and-xprotect [Archive.org]


In addition to this convenient database, each saved file will also carry detailed file system HFS+/APFS attributes showing for instance when it was downloaded, with what and from where.


You can view these just by opening a terminal and typing mdls filename and xattr -l filename on any downloaded file from any browser.


To remove such attributes, you will have to do it manually from the terminal:


  • Run xattr -d com.apple.metadata:kMDItemWhereFroms filename to remove the origin
    • You can also just use -dr to do it recursively on a whole folder/disk
  • Run xattr -d com.apple.quarantine filename to remove the quarantine reference
    • You can also just use -dr to do it recursively on a whole folder/disk
  • Verify by running xattr --l filename and there should be no output

(Note that Apple has removed the convenient xattr –c option that would just remove all attributes at once so you will have to do this for each attribute on each file)


These attributes and entries will stick even if you clear your Browser history and this is obviously bad for privacy (right?) and I am not aware of any convenient tool that will deal with those at the moment.


Fortunately, there are some mitigations for avoiding this issue in the first place as these attributes and entries are set by the browsers. So, I tested various browsers (On MacOS Catalina and Big Sur) and here are the results as of the date of this guide:



BrowserQuarantine DB EntryQuarantine File AttributeOrigin File Attribute
Safari (Normal)YesYesYes
Safari (Private Window)NoNoNo
Firefox (Normal)YesYesYes
Firefox (Private Window)NoNoNo
Chrome (Normal)YesYesYes
Chrome (Private Window)Partial (timestamp only)NoNo
Ungoogled-Chromium (Normal)NoNoNo
Ungoogled-Chromium (Private Window)NoNoNo
Brave (Normal)Partial (timestamp only)NoNo
Brave (Private Window)Partial (timestamp only)NoNo
Brave (Tor Window)Partial (timestamp only)NoNo
Tor BrowserNoNoNo

As you can see for yourself the easiest mitigation is to just use Private Windows. These do not write those origin/quarantine attributes and do not store the entries in the QuarantineEventsV2 database.


Clearing the QuarantineEventsV2 is easy as explained above. Removing the attributes takes some work. Brave is the only tested browser that will not store those attributes by default in normal operations.


Various Artifacts:​


In addition, MacOS keeps various logs of mounted devices, connected devices, known networks, analytics, documents revisions…


See this section of this guide for guidance on where to find and how to delete such artifacts: https://github.com/drduh/macOS-Security-and-Privacy-Guide#metadata-and-artifacts [Archive.org]


Many of those can be deleted using some various commercial third-party tools but I would personally recommend using the free and well-known Onyx which you can find here: https://www.titanium-software.fr/en/onyx.html [Archive.org]. Unfortunately, it is closed-source but it is notarized, signed and has been trusted for many years.


Force a Trim operation after cleaning:​


  • If your file system is APFS, you do not need to worry about Trim, it happens asynchronously as the OS writes data.
  • If your file system is HFS+ (or any other than APFS), you could run First Aid on your System Drive from the Disk Utility which should perform a Trim operation in the details(https://support.apple.com/en-us/HT210898 [Archive.org]).

2021 08 05 11 09

Linux (Qubes OS):​


Please consider their guidelines https://github.com/Qubes-Community/Contents/blob/master/docs/security/security-guidelines.md [Archive.org]


If you are using Whonix on Qubes OS, please consider following some of their guides:



Linux (non-Qubes):​


Guest OS:​


Revert to a previous snapshot of the Guest VM on Virtualbox (or any other VM software you are using) and perform a trim command on your laptop using fstrim --all. This utility is part of the util-linux package on Debian/Ubuntu and should be installed by default on Fedora. Then switch to the next section.


Host OS:​


Normally you should not have traces to clean within the Host OS since you are doing everything from a VM if you follow this guide.


Nevertheless, you might want to clean some logs. Just use this convenient tool: https://web.archive.org/web/https://github.com/sundowndev/go-covermyass (instructions on the page, to download head to the releases, this repository was recently removed)


After cleaning up, make sure you have the fstrim utility installed (should be by default on Fedora) and part of the util-linux package on Debian/Ubuntu. Then just run fstrim --all on the Host OS. This should be sufficient on SSD drives as explained earlier.


Consider the use of Linux Kernel Guard as an added measure https://www.whonix.org/wiki/Linux_Kernel_Runtime_Guard_LKRG [Archive.org]


Windows:​


Guest OS:​


Revert to a previous snapshot on Virtualbox (or any other VM software you are using) and perform a trim command on your Windows using the Optimize as explained in the end of the next section


Host OS:​


Now that you had a bunch of activities with your VMs or Host OS, you should take a moment to cover your tracks. Most of these steps should not be undertaken on the Decoy OS in case of use of plausible deniability. This is because you want to keep decoy/plausible traces of sensible but not secret activities available for your adversary. If everything is clean then you might raise suspicion.


Diagnostic Data and Telemetry:​


First let us get rid of any diagnostic data that could still be there:


(Skip this step if you are using Windows 10 AME)


  • After each use of your Windows devices, go into Settings, Privacy, Diagnostic & Feedback, and Click Delete.

Then let us re-randomize the MAC addresses of your Virtual Machines and the Bluetooth Address of your Host OS.


  • After each shutdown of your Windows VM, change its MAC address for next time by going into Virtualbox > Select the VM > Settings > Network > Advanced > Refresh the MAC address.
  • After each use of your Host OS Windows (your VM should not have Bluetooth at all), Go into the Device Manager, Select Bluetooth, Disable Device and Re-Enable device (this will force a randomization of the Bluetooth Address).

Event logs:​


Windows Event logs will keep many various pieces of information that could contain traces of your activities such as the devices that were mounted (including Veracrypt NTFS volumes forinstance294), your network connections, app crash information and various errors. It is always best to clean those up regularly. Do not do this on the Decoy OS.


  • Start, search for Event Viewer, and launch Event Viewer:
    • Go into Windows logs.
    • Select and clear all 5 logs using right click.

Veracrypt History:​


By default, Veracrypt saves a history of recently mounted volumes and files. You should make sure Veracrypt never saves History. Again, do not do this on the Decoy OS if you are using plausible deniability for the OS. We need to keep the history of mounting the decoy Volume as part of the plausible deniability.


  • Launch Veracrypt
  • Make sure the “Never saves history” checkbox is checked (this should not be checked on the Decoy OS)

Now you should clean the history within any app that you used including Browser history, Cookies, Saved Passwords, Sessions, and Form History.


Browser History:​


  • Brave (in case you did not enable cleaning on exit)
    • Go into Settings
    • Go into Shields
    • Go into Clear Browsing Data
    • Select Advanced
    • Select “All Time”
    • Check all the options
    • Clear Data
  • Tor Browser
    • Just close the Browser and everything is cleaned

Wi-Fi History:​


Now it is time to clear the history of the Wi-Fi you connect to. Unfortunately, Windows keeps storing a list of past Networks in the registry even if you “forgot” those in the Wi-Fi settings. As far as I know, no utilities clean those yet (BleachBit or PrivaZer for instance) so you will have to do it the manual way:


  • Launch Regedit using this tutorial: https://support.microsoft.com/en-us...ndows-10-deab38e6-91d6-e0aa-4b7c-8878d9e07b11 [Archive.org]
  • Within Regedit, enter this to the address bar: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles
  • There you will see a bunch of folders to the right. Each of those folders is a “Key”. Each of those keys will contain information about your current known Wi-Fi or past networks you used. You can explore them one by one and see the description on the right side.
  • Delete all those keys.

Shellbags:​


As explained earlier, Shellbags are basically histories of accessed volumes/files on your computer. Remember that shellbags are very good sources of information forforensics287 and you need to clean those. Especially if you mounted any “hidden volume” anywhere. Again, you should not do this on the Decoy OS.



Extra Tools Cleaning:​


After cleaning those previous traces, you should also use third party utilities than can be used to clean various traces. These include the traces of the files/folders you deleted.


Please refer to Appendix H: Windows Cleaning Tools before continuing.


PrivaZer:​


Here are the steps for PrivaZer:


  • Download and install PrivaZer from https://privazer.com/en/download.php [Archive.org]
    • Run PrivaZer after install
    • Do not use their Wizard
    • Select Advanced User
    • Select Scan in Depth and pick your Target
    • Select Everything you want to Scan and push Scan
    • Select What you want cleaned (skip the shell bag part since you used the other utility for that)
      • You should just skip the free space cleaning part if using an SSD and instead just use the native Windows Optimize function (see below) which should be more than enough. I would only use this on an HDD drive.
    • (If you did select Free Space cleaning) Select Clean Options and make sure your type of Storage if well detected (HDD vs SSD).
    • (If you did select Free Space cleaning) Within Clean Options (Be careful with this option as it will erase all the free space on the selected partition, especially if you are running the decoy OS. Do not erase the free space or anything else on the second partition as you risk destroying your Hidden OS)
      • If you have an SSD drive:
        • Secure Overwriting Tab: Personally, I would just pick Normal Deletion + Trim (Trim itself should be enough). Secure Deletion with Trim (1 pass) might be redundant and overkill here if you intend to overwrite the free space anyway.
        • Free Space Tab: Personally, and again “just to be sure”, I would select Normal Cleanup which will fill the entire free space with Data. I do not really trust Smart Cleanup as it does not actually fill all the free space of the SSD with Data. But again, I think this is probably not needed and overkill in most cases.
      • If you have an HDD drive:
        • Secure Overwriting Tab: I would just pick Secure Deletion (1 pass).
        • Free Space: I would just pick Smart Cleanup as there is no reason to overwrite sectors without data on an HDD drive.
    • Select Clean and Pick your flavor:
      • Turbo Cleanup will only do normal deletion (on HDD/SSD) and will not clean free space. It is not secure on an HDD nor an SSD.
      • Quick Cleanup will do secure deletion (on HDD) and normal deletion + trim (on SSD) but will not clean free space. I think this is secure enough for SSD but not for HDD.
      • Normal Cleanup will do secure deletion (on HDD) and normal deletion + trim (on SSD) and will then clean the whole free space (Smart Cleanup on HDD and Full Cleanup on SSD) and should be secure. I think this option is the best for HDD but completely overkill for SSD.
    • Click Clean and wait for cleaning to finish. Could take a while and will fill your whole free space with data.

BleachBit:​


Here are the steps for BleachBit:


  • Get and install the latest version from BleachBit here https://www.bleachbit.org/download [Archive.org]
  • Run BleachBit
  • Clean at least everything within those sections:
    • Deep Scan
    • Windows Defender
    • Windows Explorer (including Shellbags)
    • System
    • Select any other traces you want to remove from their list
      • Again, as with the previous utility, I would not clean the free space on an SSD drive because I think the Windows native “optimize” utility is enough (see Below) and that filling up the free space on a trim enabled SSD is just completely overkill and unnecessary.
    • Click Clean and wait. This will take a while and will fill your whole free space with data on both HDD and SSD drives.

Force a Trim with Windows Optimize (for SSD drives):​


With this Native Windows 10 utility, you can just trigger a Trim on your SSD which should be more than enough to securely clean all deleted files that somehow would have escaped Trim when deleting them.


Just open Windows Explorer, Right Click on your System Drive and click Properties. Select Tools. Click Optimize and then Optimize again. You are done. I think that is probably enough in my opinion.
2021 08 05 11 10
 

HEISENBERG

Administrator
ADMIN
Joined
Jun 24, 2021
Messages
1,658
Solutions
2
Reaction score
1,789
Points
113
Deals
666

Removing some traces of your identities on search engines and various platforms:​


Chances are your actions (such as posts on various platforms, your profiles) will be indexed (and cached) by many search engines.


Contrary to popular belief, it is possible to have some but not all this information removed by following some steps. While this might not remove the information on the websites themselves, it will make it harder for people to find it using search engines.


  • First, you will have to delete your identities from the platform themselves if you can. Most will allow this but not all. For some you might have to contact their support/moderators and for others there will be readily available forms to do so.
  • If they do not allow removal/deletion of profiles, there might be a possibility for you to rename your identity. Change the username if you can and all account information with bogus information including the e-mail.
  • If allowed, you can also sometimes edit past posts to remove the information within those.

You can check some useful information about how to and get delete various accounts on these websites:



When you are done with this part, you should now handle search engines and while you may not be able to have the information deleted, you can ask them to update/remove outdated information which could then remove some cached information.
 

HEISENBERG

Administrator
ADMIN
Joined
Jun 24, 2021
Messages
1,658
Solutions
2
Reaction score
1,789
Points
113
Deals
666

Google:​


Unfortunately, this will require you to have a Google account to request the update/removal (however this can be done with any Google account from anyone). There is no way around this except waiting.


Go to their “Remove outdated content from Google Search” page here: https://search.google.com/search-console/remove-outdated-content [Archive.org] and submit a request accordingly.


If your profile/username was deleted/changed, they should re-index the content and update accordingly and remove these traces.


These requests might take several days to process. Be patient.


Bing:​


Unfortunately, this will require you to have a Microsoft account to request the update/removal (however this can be done with any Microsoft account from any identity). There is no way around this except waiting.


Go to their “Content Removal” page here: https://www.bing.com/webmasters/tools/contentremoval [Archive.org] and submit a request accordingly.


If your profile/username was deleted/changed, they should re-index the content and update accordingly and remove these traces.


This might take several days to process. Be patient.


DuckDuckGo:​


DuckDuckGo does not store cached version of pages and will instead forward you to a Google/Bing cached version if available.


In addition, DuckDuckGo source most of their searches from Bing (and not google) and therefore removing the content from Bing should in time have it removed it from DuckDuckGo too.


Yandex:​


Unfortunately, this will require you to have a Yandex account to request removals (however this can be done with any Yandex account from any identity). There is no way around this except waiting.


Once have your Yandex account, head to the Yandex Webmaster tools https://webmaster.yandex.com [Archive.org] and then select Tools and Delete URL https://webmaster.yandex.com/tools/del-url/ [Archive.org]


There you can input the URL that do not exist anymore if you had them deleted.


This will only work with pages that have been deleted and therefore will not work with removing cache of existing records. For that unfortunately there is no tool available to force a cache update but you can still try their feedback tool:


Search for the page that was changed (where your profile was deleted/changed) and click the arrow next to the result. Select Complain. And submit a complaint about the page not matching the search result. Hopefully this will force Yandex to re-crawl the page and re-index it after some time. This could take days or weeks.


Qwant:​


As far as I know, there is no readily available tool to force this and you will have to wait for the results to get updated if there is any. If you know a way, please report this to me through the GitHub issues.


Yahoo Search:​


Yes, Yahoo Search still exists but as per their help page https://help.yahoo.com/kb/SLN4530.html [Archive.org], there is no way to remove information or refresh information besides waiting. This could take 6 to 8 weeks.


Baidu:​


As far as I know, there is no readily available tool to force this unless you control the website (and do it through their webmaster tools). Therefore, you will have to wait for the results to get updated if there is any. If you know a way, please report this to me through the GitHub issues.


Wikipedia:​


As far as I know, there is no way to remove information from Wikipedia articles themselves but if you just want to remove traces of your username from it (as a user that contributed), you can do so by following these steps: https://en.wikipedia.org/wiki/Wikipedia:Courtesy_vanishing [Wikiless] [Archive.org]


This will not remove any information about your online identities that could appear in other articles but only your own identity on Wikipedia as a user.


Archive.today:​


Some information can sometimes be removed on demand (sensitive information for example) as you can see many examples here: https://blog.archive.today/archive


This is done through their “ask” page here: https://blog.archive.today/ask


Internet Archive:​


You can remove pages from internet archives but only if you own the website in question and contact them about it. Most likely you will not be able to remove archives from say “Reddit posts” or anything alike. But you could still ask and see what they answer.


As per their help page https://help.archive.org/hc/en-us/articles/360004651732-Using-The-Wayback-Machine


“How can I exclude or remove my site’s pages from the Wayback Machine?


You can send an e-mail request for us to review to [email protected] with the URL (web address) in the text of your message”.
 

HEISENBERG

Administrator
ADMIN
Joined
Jun 24, 2021
Messages
1,658
Solutions
2
Reaction score
1,789
Points
113
Deals
666

Some low-tech old-school tricks:​


Hidden communications in plain sight:​


You must keep in mind that using all those security measures (encryption, plausible deniability, VPN, tor, secure operating systems …) can make you suspicious just by using them. Using could be the equivalent of stating openly “I have something to hide” to an observer which could then motivate some adversaries to investigate/survey you further.


So, there are other ways you could exchange or send messages online to others in case of need without disclosing your identity or establishing direct communication with them. These have been in use by various organizations for decades and can be of help if you do not want to attract attention by using secure tech while still communicating some sensitive information without attracting attention.


A commonly used technique which combines the idea of a Dead Drop and Secure Communication Obfuscation through Steganography and/or Kleptography and has many names such as Koalang or “Talking Around” or even “Social Steganography”. This technique is very old and still widely used nowadays by teenagers to bypass parental control. It is hiding in plain sight.


Here is one example if you want to let someone know something is wrong and they should go dark? That they should immediately wipe all their data, get rid of their burner phones and sensitive information?


What if you want to let someone you trust (friends, family, lawyers, journalists …) know that you are in trouble and they should look out for you?


All this without revealing the identity of the person you are sending the message to nor disclosing the content of that message to any third party and without raising suspicions and without using any of the secure methods mentioned above.


Well, you could just use any online public platform for this (Instagram, Twitter, Reddit, any forum, YouTube …) by using in-context (of the chosen platform/media) agreed upon (between you and your contact) coded messages that only your contact would understand.


This could be a set of specific Emoji’s or a specifically worded mundane comment. Or even just a like on a specific post from a known influencer you usually watch and like. While this would look completely normal to anyone, this could in fact mean a lot to a knowledgeable reader who could then take appropriate agreed upon actions. You could also hide the message using Steganography using for instance https://stegcloak.surge.sh/.


You do not even have to go that far. A simple “Last seen” time on a specific account could be enough to trigger a message agreed upon. If your interlocutor sees that such account was online. It could mean there is an issue.
 

HEISENBERG

Administrator
ADMIN
Joined
Jun 24, 2021
Messages
1,658
Solutions
2
Reaction score
1,789
Points
113
Deals
666

How to spot if someone has been searching your stuff:​


There are some old tricks that you can use to spot if people have been messing with your stuff while you were away.


One trick for instance is very simple and just requires a wire/cable. Simply dispose objects on your desk/night table or in your drawers following a straight line. You can use a simple USB cable as a tool to align them.


Make a line with your cable and place objects along the line. When you are back, just check those places and check if the objects are still placed along the line. This allows you not to remember precisely where your things were without taking pictures.


Fortunately, modern technology has made this even simpler. If you suspect someone might be looking through your stuff while you are away, you can just take a picture of the area with your phone before leaving. When you are back, just compare the areas with your pictures and everything should be exactly where you left it. If anything moved then someone was there.


It will be very hard and time consuming for an adversary to search through your stuff and then replace it exactly as you left it with complete precision.


What if it is a printed document or book and you want to know if someone read it? Even simpler. Just carefully make a note within the document with a pencil. And then erase it with any pencil eraser as if you wanted to correct it. The trick is to carefully leave the eraser traces/residues on the area you erased/pencil written areas and close the document. You could also take a picture of the residues before closing the document.


Most likely if someone went through your document to read it and re-placed it carefully, this residue will fall off or be moved significantly. It is a simple old school trick that could tell you someone searched a document you had.
 

HEISENBERG

Administrator
ADMIN
Joined
Jun 24, 2021
Messages
1,658
Solutions
2
Reaction score
1,789
Points
113
Deals
666

Some last OPSEC thoughts:​


Wait, what is OPSEC? Well, OPSEC means Operations Security. The basic definition is: “OPSEC is the process of protecting individual pieces of data that could be grouped together to give the bigger picture “.


OPSEC is often just applying common sense and being cautious about your activities including in the physical world.


  • Remember to use passphrases instead of passwords and use a different one for each service (Appendix A2: Guidelines for passwords and passphrases).
  • Make sure you are not keeping a copy of this guide anywhere unsafe after. The sole presence of this guide will most likely defeat all your plausible deniability possibilities.
  • Consider the use of Haven https://guardianproject.github.io/haven/ [Archive.org] on some old android phone to keep watch on your home/room while you are away.
  • Doxx “yourself” and your identities from time to time by looking for them yourself online using various search engines to monitor your online identities. You can even automate the process somewhat using various tools such as Google Alerts https://www.google.com/alerts [Archive.org].
  • Remember Appendix N: Warning about smartphones and smart devices. Do not forget your smart devices can compromise your anonymity.
  • Do not ever use biometrics alone to safeguard your secrets. Biometrics can be used without your consent.
  • Do not ever travel with those devices if you must pass strong border checks and where they could be illegal or raise suspicion.
  • Do not plug any equipment in that laptop unless you trust it. Use an USB data blocker for charging.
  • Do check the signatures and hashes of Software you download before installing them.
  • Remember the first rule of fight club and do not talk to anyone about your sensitive activities using your real identity.
  • Keep a normal life and do not be weird. If you spend all your online time using Tor to access the internet and have no social network accounts at all … You are already suspicious and attracting unnecessary attention.
  • Encrypt everything but do not take it as granted. Remember the 5$wrench8.
  • Keep plausible deniability as an option but remember it will not help against the 5$ wrencheither8.
  • Never ever leave your laptop unattended/on/unlocked anywhere when conducting sensitive activities. Remember the story of Ross Ulbricht and his arrest https://en.wikipedia.org/wiki/Ross_Ulbricht#Silk_Road,_arrest_and_trial [Wikiless] [Archive.org].
  • Check for tampering regularly (not only your devices but also your home/room).
  • If you can, do not talk to the police/authorities (at least if you are in the US)
    [Invidious] without a lawyer. Remain silent.
  • Know and always have at your disposal the details of a lawyer that could help you as a last resort in case things go wrong.
  • Read those tips here https://www.whonix.org/wiki/DoNot [Archive.org]
  • Finally, have common sense, do not be dumb, look and learn from others’ mistakes, watch these:
    • 2020, Sinwindie, OSINT and Dark Web Markets, Why OPSEC Still Matters
      [Invidious]
    • 2020, RSA Conference 2020, When Cybercriminals with Good OpSec Attack
      [Invidious]
    • 2015, DEFCON 22, Adrian Crenshaw- Dropping Docs on Darknets: How People Got Caught,
      [Invidious](Slides [Archive.org])
    • 2017, Ochko123 - How the Feds Caught Russian Mega-Carder Roman Seleznev
      [Invidious]
    • 2015, DEF CON 22 - Zoz - Don’t Fuck It Up!
      [Invidious]
    • 2020, Bad Opsec - How Tor Users Got Caught,
      [Invidious]

FINAL OPSEC DISCLAIMER: KEEP YOUR ANONYMOUS IDENTITIES COMPLETELY SANDBOXED FROM YOUR NORMAL ENVIRONMENT AND REAL IDENTITY. DO NOT SHARE ANYTHING BETWEEN THE ANONYMOUS ENVIRONMENTS AND THE REAL IDENTITY ENVIRONMENT. KEEP THEM COMPLETELY COMPARTIMENTALIZED ON EVERY LEVEL. MOST OPSEC FAILURES ARE DUE TO USERS ACCIDENTALY LEAKING INFORMATION RATHER THAN TECHNICAL FAILURES.
 

HEISENBERG

Administrator
ADMIN
Joined
Jun 24, 2021
Messages
1,658
Solutions
2
Reaction score
1,789
Points
113
Deals
666

If you think you got burned:​


If you have some time:​


  • Don’t Panic.
  • Delete everything you can from the internet related to that specific identity (accounts, comments …).
  • Delete everything offline you have related to that identity including the backups.
  • (If using a physical SIM) Destroy the SIM card and trash it in a random trash can somewhere.
  • (If using a physical Burner Phone) Erase then destroy the Burner phone and trash it in a random trashcan somewhere.
  • Securely erase the laptop hard drive and then ideally proceed to physically destroy the HDD/SSD/Laptop and trash it somewhere.
  • Do the same with your backups.
  • Keep the details of your lawyer nearby or if needed, call him/her in advance to prepare your case if needed.
  • Return to your normal activities and hope for the best.

If you have no time:​


  • Don’t Panic.
  • Try to shut down/hibernate the laptop as soon as possible and hope for the best. If you are fast enough, your memory should decay or be cleaned and your data should be mostly safe for the time being.
  • Contact a lawyer if possible and hope for the best and if you cannot contact one (yet), try to remain silent (if your country allows it) until you have a lawyer to help you and if your law allows you to remain silent.

Keep in mind that many countries have specific laws to compel you to reveal your passwords that could override your “right to remain silent”. See this Wikipedia article: https://en.wikipedia.org/wiki/Key_disclosure_law [Wikiless] [Archive.org] and this other visual resource with law references https://www.gp-digital.org/world-map-of-encryption/ [Archive.org].
 

HEISENBERG

Administrator
ADMIN
Joined
Jun 24, 2021
Messages
1,658
Solutions
2
Reaction score
1,789
Points
113
Deals
666

A small final editorial note:​


After reading this whole guide, I hope you will have gained some additional beneficial insight about privacy and anonymity. It is clear now, in my humble opinion, that the world we live in has only few safe harbors remaining where one could have a reasonable expectation of privacy and even less so anonymity. Many will often say that 1984 by George Orwell was not meant to be an instruction book. Yet today this guide and its many references should, I hope, reveal to you how far down we are in the rabbit hole.


You should also know that most of the digital information described in lengths in this guide can be forged or tampered by a motivated adversary for any purpose. Even if you do manage to keep secrets from prying eyes, it is possible for anyone to fabricate anything to fit their narrative.


  • IP logs, DNS logs, Geolocation logs and Connection logs can be forged or tampered with by anyone using a simple text editor without leaving traces.
  • Files and their properties can be created, altered, and timestamped by anyone using simple utilities without leaving traces.
  • EXIF information of pictures and videos can be altered by anyone using simple utilities without leaving traces.
  • Digital Evidence (Pictures, Videos, Voice Recordings, E-Mails, Documents…) be crafted, placed, removed, or destroyed with ease without leaving traces.

You should not hesitate to question this type of information from any source in this age of disinformation.


“A lie can travel half way around the world while the truth is putting on its shoes.” – Mark Twain.


Please keep thinking for yourself and be open to critical thinking. Please keep an open mind. Dare to know!


“In the end the Party would announce that two and two made five, and you would have to believe it.” – George Orwell, 1984.
 

thegentleman_007

Don't buy from me
New Member
Joined
Aug 5, 2022
Messages
15
Reaction score
5
Points
3
At least a facemask will be easier due to covid, makes it def a lot less weird. Interesting read!
 

Lesternixon

Don't buy from me
Member
Joined
Feb 19, 2023
Messages
6
Reaction score
0
Points
1
This is advantageous because most crooks and trolls are not very tech-savvy and will be easily recognised. However, this has its drawbacks as well because it makes it quite simple to follow most political dissidents, human rights advocates, and whistleblowers.
 
Top