On 29/09/2025 12.33, boyska wrote:
Marco A. Calamari:
I wonder if this talk of SANS summit 2025 is already know.
But maybe can be of some interest to make Tails better.
thanks, that's a useful read. I'm not sure I get the context, though. Do
you have more info about the context? Am I correct in saying they assume
all of those things:
1. they have their hands on a *running* Tails
2. that Tails has a Persistent Storage enabled
3. they don't know the passphrase of the Persistent Storage
4. Tails was run with an administration password
5. They know the administration password.
?
I skimmed it before I saw your email (so I wasn't influenced by your
analysis) and had the exact same interpretation. But I don't think there
is much need for interpretation given that on page 5 they emphasize in
red text that "Without the administrator password, you will not have
access to the filesystem", and continues "or root privileges, which can
make accessing the filesystem and or collection problematic if not
impossible". Considering this is written from the PoV of someone working
in corporate USA excessive surveillance is to be expected so it's maybe
not so unreasonable for them to assume a password/passphrase was
intercepted by hardware keylogger or video or whatever.
Like, what's the context in which this is realistic?
A SWAT operation which can grab your laptop before the user has time to
unplug the USB stick?
And if the administration password was obtained through user
collaboration, couldn't they ask the Persistent Storage password
instead? This would remove requirements 1 and 4.
And 3 would be invalidated, depending on how you see things.
And why are they copying the raw device when they could copy the
decrypted files?
Attempting to capture a raw dump is a good first step in data forensics.
I guess there must be a rationale for all of that, and understanding it
would help us design Tails better.
I don't think this is intended to be groundbreaking crazy stuff, but
more some pointers on how to get started doing basic data forensics vs
Tails, just so other corporate "incident responders" don't have to
reinvent the wheel.
Cheers!
_______________________________________________
Tails-dev mailing list
[email protected]
https://www.autistici.org/mailman/listinfo/tails-dev
To unsubscribe from this list, send an empty email to
[email protected].
