icon of Deeras


Security and Privacy Checklist


As you can see, this is a checklist not a full guide how to protect yourself. If you need detailed instructions and more background knowledge check out the sites I linked in the "Full Guides" part. Before you start, there are some things you need to know. During every step in the process you should fully understand what you are doing and what the implications and limitations are. It is impossible to have a 100% secure setup and everything can be breached with enough time and resources. Since you are the weakest link in the chain, you should also have a proper incident response plan.


  • Understand the differences between security, privacy and anonymity
  • Make yourself familiar with concepts like fingerprinting, malware and social engineering techniques
  • Know what your threat model is → assets, security, threats and adversaries

Sources and more:

link

link link

  • Use secure and "Respects Your Freedom" rated hardware from vendors such as Vikings, Technoethical, RetroFreedom or Libiquity

→ or privacy respecting alternatives from Insurgo, ThinkPenguin, System76, Purism or RaptorCS
→ More Linux-hardware: Slimbook, TUXEDO Computers, Entroware, Star Labs and Juno Computers

  • You should use Libreboot, Coreboot or me_cleaner
  • AMD PSP can possibly be deactivated in BIOS/UEFI
  • To avoid IntelME and AMD PSP completely → RaptorCS (POWER9 processor), Pine64 (Rockchip / Allwinner processor) or old models of Intel / AMD processors
  • A Chromebook may not be private but pretty secure for your work
  • Buy your hardware anonymously from small retailers with cash (not online)


Sources and more:

link

link link link link link link link

  • Raspberry Pi for Pihole
  • USB-keys like Nitrokey/Yubikey/SoloKey
  • Privacy Screen Protector
  • Webcam covers
  • Mic-Lock
  • USB Network adapter
  • USB data blocker


Sources and more:

link

link link link

Buy your router (e.g. from ThinkPenguin or pfSense)

  • Avoid routers or firmware from your ISP
  • Use firmware like OpenWrt (TP-Link Archer C7)
  • Keep your firmware up to date
  • Turn on your firewall and enable automatic updates
  • Disable WPS, PING, Telnet, SSH, UPnP, HNAP and Remote Administration
  • Disable WiFi Protected Setup
  • Disable Cloud-Based Management
  • Prohibit communication between different devices
  • Whitelist MAC addresses
  • Change the DNS server of your router
  • Change the local & the default IP address of your router
  • Close open ports that you don't use
  • Turn off your router when you don't use it
  • Change the default password of your router
  • Implement a network-wide VPN or Tor router
  • Idea: psad in combination with sshguard
  • Use Ethernet instead of WiFi

  • If you use WiFi:

  • Make your SSID as impersonal as possible so that you are not immediately identified
  • add _optout_nomap to SSID → opt-out of SSID data collection from Microsoft and Google
  • Use WPA2 or WPA3 encryption, all others (WEP and WPA) are not secure
  • If you can choose use WPA2 AES instead of WPA2 TKIP
  • Don't let devices connect to networks automatically
  • Change your SSID regularly
  • Use 5 GHz instead of 2.4 GHz
  • Use a Guest WiFi for devices of friends and for IoT devices


Sources and more:

link

link link link link link link link link link link link

  • Protect your BIOS / UEFI with a passphrase
  • Enable virus protection in BIOS if you can
  • Enable virtualization → for virtual machines
  • Enable HDD/SDD password if the feature is available
  • Disable Bluetooth completely if you can
  • Disable the Webcam and Microphone if you can
  • Disable USB/HDMI or any other port (Ethernet, Firewire, SD card …) if you can
  • Disable Intel ME or AMD PSP if you can
  • Disable boot from CD/DVD/stick if you can
  • Disable Secure Boot if you intend to use QubesOS as they Don't support it out of the box / Keep it on if you use Linux/Windows


Sources and more:

link

link

Divide your digital life into multiple identities → i.e. multiple browsers (or browser profiles), email addresses and possibly also operating systems

  • Avoid mixing different identities with each other

Everything about your work Everything with accounts Everything without accounts
Operating system 1 Operating system 2 Operating system 3
Browser 1 Browser 2 Browser 3
Email provider 1 Email provider 2 N/A


Sources and more:

link

link link link link


1. One built-in hard drive with one partition + one USB flash drive


Partition 1 Flash Drive
First compartment Second compartment Third compartment
Host OS Live OS
VM for work VM for accounts VM for Whonix Flash Drive for Tails



2. One built-in hard drive with two partitions + one USB flash drive


Partition 1 Partition 2 Flash Drive
First compartment Second compartment Third compartment
Host OS Live OS
VM for work VM for accounts VM for Whonix Flash Drive for Tails



3. One built-in hard drive with three partitions + one USB flash drive


Partition 1 Partition 2 Partition 3 Flash Drive
First compartment Second compartment Third compartment
Host OS Live OS
VM for work VM for accounts VM for Whonix Flash Drive for Tails



4. One external hard drive with one partition + one USB flash drive


Partition 1 Flash Drive
First compartment Second compartment Third compartment
Host OS Live OS
VM for work VM for accounts VM for Whonix Flash Drive for Tails



5. One external hard drive with two partitions + one USB flash drive


Partition 1 Partition 2 Flash Drive
First compartment Second compartment Third compartment
Host OS Live OS
VM for work VM for accounts VM for Whonix Flash Drive for Tails



6. One external hard drive with three partitions + one USB flash drive


Partition 1 Partition 2 Partition 3 Flash Drive
First compartment Second compartment Third compartment
Host OS Live OS
VM for work VM for accounts VM for Whonix Flash Drive for Tails



7. Two external hard drives with one partition each + one USB flash drive


First hard drive
Partition 1
First compartment
Host OS
VM for work
Second hard drive Flash Drive
Partition 1
Second compartment
Third compartment
Host OS Live OS
VM for accounts VM for Whonix Flash Drive for Tails



8. Two external hard drives with once one partition and once two partitions + one USB flash drive


First hard drive
Partition 1
First compartment
Host OS
VM for work
Second hard drive Flash Drive
Partition 1 Partition 2
Second compartment
Third compartment
Host OS Live OS
VM for accounts VM for Whonix Flash Drive for Tails



9. Three external hard drives with one partition each + one USB flash drive


First hard drive
Partition 1
First compartment
Host OS
VM for work
Second hard drive
Partition 1
Second compartment
Host OS
VM for accounts
Third hard drive
USB-Stick
Partition 1
Third compartment
Host OS Live OS
VM for Whonix Flash Drive for Tails


Sources and more:


  • Any operating system can be secure and private after hardening
  • Combine different operating systems for compartmentalization
  • Linux / Xen distributions designed for privacy and security
  • → Tails, Whonix, QubesOS


Sources and more:

link

Installation

  • If you can, get a copy of LTSC
  • Verify the checksum of the installation ISO
  • Don't connect your PC with your Microsoft account

System Settings

  • Network and Internet → disable WiFi Sense
  • Settings → Privacy → disable everything that is not needed
  • Create a second account for admin tasks
  • Uninstall Bloatware and unused programs
  • Disable Cortana


Sources and more:


    Use tools like:

  • FOSS: Destroy Windows 10 Spying, DisableWinTracking
  • Proprietary : W10privacy, DoNotSpy10
  • https://ameliorated.info (build it yourself don't use the ISO)

  • Use Secure Boot
  • Use Full Disk Encryption with VeraCrypt
  • Don't use Root/ Admin Account for Non-Admin Tasks
  • Protect against software keyloggers with GhostPress, SpyShelter or KeyScrambler
  • Use Duckhunt to protect your computer against rogue USB devices (a.k.a. BadUSB)


Sources and more:

link

link

Installation

  • ...

System Settings

  • ...


Sources and more:


  • Protect against software keyloggers with ReiKey


Sources and more:

  • Verify the checksum of the installation ISO
  • Do the installation offline
  • Use Full Disk Encryption when installing a new distro
  • Fill your drive with random data
  • Don't use personal information (name, device model...) as name
  • Use strong passphrases (over 15 characters)
  • Choose "minimal installation"
  • Create different file systems for /home and /tmp
  • Don't connect accounts to the operating system
  • Don't allow any data collection if prompted
  • Disable Bluetooth and location services if you don't need them
  • Enable automatic updates
  • Set a DNS server in the network settings that respects privacy


Sources and more:

link

  • Just follow this guide


  • Turn on your firewall and configure it
  • Close unused open ports
  • If you need SSH use software like sshguard
  • Implement Mandatory Access Control
  • Configure SELinux
  • Change MAC addresses with macchanger
  • → sudo ifconfig eth0 down → sudo macchanger -r eth0 → sudo ifconfig eth0 up
  • Change mount options for filesystems like /tmp
  • Set a passphrase for single user mode
  • Install integrity tools like Samhain or AFICK
  • Limit permissions for users (restrict root access)
  • Use USBGuard to protect your computer against rogue USB devices (a.k.a. BadUSB)
  • Place the boot partition on a separate drive


Sources and more:

link

link link link

  • Consider checking out the HiddenVM project
  • You could run the non-persistent Tails from a USB and store persistent VMs within a VeraCrypt hidden volume on a HDD
  • Don't use hidden volumes on SSD drives as this is not supported/recommended by Veracrypt
  • Keep in mind that encryption with or without plausible deniability will have little use in case of torture
  • TrueCrypt's Plausible Deniability is Theoretically Useless
  • Thus plausible deniability is only effective against lawful adversaries that won’t use torture aka Rubberhose Cryptanalysis
  • Check out the Tails documentation


Sources and more:

  • Use the provided Whonix Workstation VM instead of hybrid systems (like Whonix Gateway with Kali)
  • Follow the VirtualBox hardening tips in the next accordion
  • Consider using the Whonix in a HiddenVM in Tails
  • Check out the Whonix documentation


Sources and more:

  • Virtual machines can mitigate exploits and are the best way to protect against Zero-days
  • Use Full Disk Encryption when installing a new operating system
  • Encrypt your VM under Settings → General → Disk Encryption if you use VirtualBox
  • Store your virtual machine files in a hidden or at least encrypted VeraCrypt volume

Sources and more:

link

Physical isolation (physical hardening)

  • Store VMs in a Hidden VeraCrypt volume on an encrypted HDD or in a dedicated encrypted operating system
  • → only for things that need a lot of trust, not for everyday tasks

  • USB network adapter, instead of host's network adapter
    / for virtual isolation VLAN

Hardening in VirtualBox

  • Settings → General → Advanced → Disable Shared Clipboard
  • Settings → General → Advanced → Disable Drag'n'Drop
  • Settings → General → Disk Encryption → Encrypt the VM with AES-XTS256-Plain64
  • Settings → System → Boot Order → Uncheck Floppy
  • Settings → System → Boot Order → Uncheck Optical
  • Settings → System → Motherboard → Extended Features: Disable IO-APIC
  • Settings → System → Motherboard → Extended Features: Don't enable EFI
  • Settings → System → Processor → Enable PAE/NX
  • Settings → System → Acceleration → Disable Nested Paging
  • Settings → Display → Screen → Don't enable 3D acceleration
  • Settings → Display → Remote Display → Don't enable Remote Display Server
  • Settings → Audio → Disable audio
  • Settings → Network → Advanced → Change your MAC address from time to time
  • Settings → Serial Ports → Don't Enable Serial Ports
  • Settings → USB → Disable USB Controller
  • → Pointing Device: PS/2 Mouse

  • Settings → Shared Folders → Don't use Shared Folders

  • Don't use guest additions if possible
  • If it can be avoided don't connect USB devices
  • Pause or Suspend saves Full Disk Encryption keys to the RAM
  • → Only if you have physical control, otherwise power the machine off

  • Desync the clock of your VM compared from your host os within a 60000 milliseconds range
  • → $ VBoxManage modifyvm "Whonix-Gateway-XFCE" --biossystemtimeoffset -40397

    → $ VBoxManage modifyvm "Whonix-Workstation-XFCE" --biossystemtimeoffset +22963

  • Check out the Spectre/Meltdown mitigation
  • Consider making a VM without internet access for sensitive information if you don't want to use a VeraCrypt container


Sources and more:

link

link link link

  • If you launch your browser for the first time do it offline to configure the settings
  • Harden your browser in about:config or chrome://flags
  • → in Firefox based browsers with arkenfox user.js

  • Use security settings (DNT, permissions, user data collection, privacy respecting default search engine etc.)
  • Delete history, cookies and cache regularly / don't save them at all
  • Limit as many permissions as possible
  • Use Containers (Firefox Container)
  • Enable Incognito mode
  • Don't log in to your browser (Firefox Sync/Google Chrome Sync)
  • Deactivate auto-complete
  • Disable automatic downloads
  • Disable password management by your browser
  • Be aware of redirects
  • DoH/DoT both have both advantage and disadvantages
  • Disable WebRTC → about:config / Add-on
  • Spoof your user agent → Add-on
  • Protect yourself from Exfil attacks → Add-on
  • Protect yourself from Canvas fingerprinting → Add-on
  • Mitigate behavioral analysis by disabling JavaScript → Add-on
  • Check your browser with deviceinfo.me


Sources and more:

link

link link link link link link link link link

Tor Browser
  • Use an obfs4 bridge
  • Set the security level to safest
  • Don't save your history
  • Enable JavaScript only with NoScript
  • Write longer texts only in a text editor and copy it in Tor (because of fingerprinting)
  • Put devices like smartphones in a Faraday cage e.g. a microwave (because of cross-device tracking)
  • Open downloaded files only without internet connection
  • Don't log into Tor (unless the account was created in Tor)
  • Don't share personal information
  • Don't install Add-ons, plugins or themes
  • Don't click on any unknown .onion links
  • Don't visit HTTP pages
  • Don't change any settings in about:config
  • Never use full screen (best is not to resize)
  • Don't have any other browser open besides Tor
  • Don't torrent
  • Don't use Tor with a VPN unless you know what you are doing
  • → Read more about that here

  • To mitigate correlation attacks: don't use Tor from an obviously monitored network (corporate/governmental network)


Sources and more:

link

link link link link link

  • Try to use open source Add-ons
  • Remember that more Add-ons make you unique
  • Delete the unnecessary ones


Sources and more:

link

HTTPS Everywhere (alternatively Smart HTTPS)
  • Enable all eligible pages to be encrypted

/ or dom.security.https_only_mode = true in about:config
or HTTPS-Only Mode in Firefox


Cookie AutoDelete
  • Enable automatic cleanup → delay: 3sec
  • Enable cleanup on domain change
  • Clean up cookies from open tabs on startup

uMatrix (alternatively NoScript)
  • Settings → check everything in the Privacy section

NoScript
  • Settings → Default: uncheck frame, fetch and other
  • Options → check "Show domains that don't seem to track your internet activity" and "Also learn in private or incognito windows"

uBlock Origin
  • Enable I am an experienced user
  • Enable Prevent local IP address sharing via WebRTC
  • Turn on block CSP reports
  • Enable block external fonts
  • Enable Disable JavaScript
  • Scripts from third-party sites left red
  • Settings → My Filters → add *$websocket

CSS exfil protection
  • Settings → Always Scan / Always Sanitize (default)

CanvasBlocker
  • Settings → Block mode → block everything

WebRTC Network Limiter (for Chromium-based browsers)
  • Options → Use only my default public IP address

User-Agent Switcher and Manager
  • Set it to Chrome 87 or Chrome 88 on Windows 10 (most common configuration)



Sources and more:

link

link link link link link link

  • Use privacy respecting search engines
  • Try to avoid major search engines like Google, Bing, Yahoo etc.

  • Only visit websites you know and trust
  • Download programs only from the original website
  • Don't ignore the warnings from your browser
  • Don't pirate software
  • Avoid talking to unknown persons on the internet

  • Before you log into a website:

  • Check the URL of the website you visit
  • Check the SSL certificate

  • Log out of the account if you are done using it
  • Avoid clicking on popup notifications
  • Check the encryption of websites you frequently visit with Qualys SSL Server Test (websites should get A or A+)


Sources and more:

link

link

  • Never share personal details (online or offline) that could lead to your online identities
  • Create full online identities with Fake Name Generator if you don't want to do it yourself
  • Store your identities in an encrypted file

  • Categories that are important are:

  • Date of Birth
  • Country of Birth
  • Nationality
  • Country of Residence
  • Address of Residence
  • Languages spoken
  • Friends
  • Occupation (Job Title, University…)
  • Various Interests (Art, Politics, Technology…)
  • Phone number (virtual or one that you bought anonymous)

  • Pick an occupation as a freelancer or at a large public institution
  • Keep track of the background stories of your Identities
  • Use the same dates and answers everywhere → everything should always match up
  • Adapt your language/writing to the identity (e.g. with a paraphrasing tool)


Sources and more:

link

  • Use a privacy-friendly email provider / host it yourself
  • Use an email forwarding service like SimpleLogin or AnonAddy/ use aliases
  • Use multiple email addresses
  • Keep your email address private
  • → e.g. use one address for your real identity and one for anonymous accounts

  • Don't send sensitive information with email
  • → if you have to: encrypt your email with PGP

    → if the info is super secret consider encrypting the email and the content with two different keys

  • Try to send emails between the same secure provider
  • Disable automatic loading of remote content
  • Use SSL/TSL ports
  • Use strong mail protocols (don't use something below IMAPv4 or POPv3)
  • If you don't know the sender don't click on any links
  • → If you have to check them with urlscan.io
  • Scan attached documents on VirusTotal
  • Always keep in mind that a legit looking email can be a scam
  • Check the email domain if it is the legitimate address


Sources and more:

link

link link link link link link

  • Encrypt files or folders that contain important information
  • Delete unused files
  • Use a file shredder like BleachBit to delete and overwrite files on spinning hard drives
  • Transfer sensitive documents to secure and encrypted devices
  • Don't use your own printer for printing sensitive details (due to printer steganography)
  • Don't blur details since parts can be easily recovered → blacken or fully remove details
  • Delete metadata from documents and EXIF from images


Sources and more:

link

link

Images/Exif
Microsoft Office Documents

Sources and more:


  • Don't trust cloud providers with your data
  • Encrypt your data before you upload it


Sources and more:

link

  • Use 2FA if possible
  • → avoid SMS as a second factor

  • Use an impersonal and unique username
  • Avoid connecting your phone number with a service
  • Delete accounts if you no longer use them
  • Avoid accounts from big data collectors like Amazon, Google, Facebook ...
  • Use all security settings that are given
  • If you need the account only once use a throwaway email address (e.g. 10minutemail)
  • Be aware of scams and phishing
  • Remember to log out if you are done
  • Delete connections with third-parties


Sources and more:

link

link link

  • Never provide information that can identify you or your location (as much as it is possible)
  • Publish as little information as possible
  • Remove metadata from files you publish
  • Always use different usernames
  • Switch to a private account (see Instagram)
  • Use given security/privacy settings
  • Don't publish your email address or phone number
  • Don't log into websites with account from social media
  • Use 2FA for all possible services
  • Try to avoid 3rd-Party integrations
  • Consider giving false information
  • Switch to FOSS social media


Sources and more:

link

link link link link

  • Instead of passwords use passphrases
  • Use strong passphrases with 15 characters or more
  • → they should consist of upper and lower case letters, numbers and characters

  • Use some kind of formula
  • Don’t use 4-digit PINs
  • Avoid using only multiple words (because of dictionary attacks)
  • Don't use the same passphrase for more than one account
  • Change default passphrases only if there was a hack
  • Don't share your passphrases with anyone
  • Don't let websites/apps store passphrases
  • Use hardware tokens
  • Don't use obvious answers for security questions
  • → if you have to: don't answer honestly

  • Avoid password managers that are browser-based
  • → offline password managers

  • Avoid using your password manager to Generate OTPs
  • Most secure method: write the passphrases down
  • Check regularly if passphrases are listed on haveibeenpwned.com
  • Store the most important passphrases e.g. for online banking offline or on devices that you rarely use
  • Don't log into accounts on devices that you don't own
  • Sign up for breach alerts if you want


Sources and more:

link

link link link

  • Use 2FA with all services if you can
  • Don't use SMS as a second factor
  • Try to avoid cloud synced 2FA
  • Use hardware keys like Nitrokey/Yubikey/SoloKey


Sources and more:

link

link

  • Use a VPN if you torrent, want to get access to geoblocked content or if you are on a public WiFi
  • Don't use free VPNs
  • Compare VPN-providers with Techlores VPN Chart or with the comparison from That One Privacy Guy

  • For strong security the VPN provider should:

  • offer anonymous payment (cash/monero)
  • utilize strong encryption
  • have Open Source clients
  • host their own servers
  • use bare-metal servers
  • use a strong VPN protocol like WireGuard
  • use perfect forward secrecy
  • have a good privacy history
  • have a clear privacy policy

  • Check your public IP and your DNS before and after you connect
  • Check for DNS leaks
  • Check for WebRTC leaks
  • Since IPV6 can leak data you may want to disable it
  • Look in the settings of your VPN if you can cut off your device from other devices on the same network

  • If you are an advanced user, try to set up your own VPN with a VPS
  • Don't use a VPN with Tor unless you know what you are doing
  • → Read more about that here



Sources and more:

link

link link link

  • Only download from the original website
  • Scan downloads with a virus scanner, VirusTotal or Hybrid Analysis
  • Open unknown files only in a virtual machine or at least without an internet connection


Sources and more:


    On Linux:

  • Since viruses are rare for Linux you don't need an antivirus
  • → If you really want one: ClamAV or Hybrid Analysis/Virustotal


    On Windows 10:

  • Windows Defender is enough

  • On macOS:
    You don't need one since macOS itself is pretty secure



  • Stay away from free antivirus software since it usually collects lots of data


Sources and more:

link

link link

  • JustDeleteMe and JustGetMyData can be helpful tools if you don't know where to start
  • Search in your email account for accounts to delete
  • Search your name or email on Google or DuckDuckGo to find accounts or services you signed up for
  • See if you are listed in whitepages → if yes try to delete the records
  • Fake personal information → then delete your account


Sources and more:

link

link

  • Use a safe for hard drives, flash drives, etc. and a shredder to destroy sensitive documents
  • Tape over your webcam and use a mic lock for your microphone
  • //Disable both completely

  • Wipe drives before you sell them
  • If you do online shopping let the packet deliver to a forwarding address
  • If you have to leave your device unattended power it off or at least suspend it
  • Avoid regions with many CCTV cameras (like London)
  • Protect your home address
  • Watch out for shoulder surfers while entering passphrases in public


Sources and more:

link

link link link

  • Make sure you don’t keep traces of information about plausible deniability
  • Look for information about you using various search engines to monitor your online identities
  • Don't ever travel with encrypted devices if you have to pass strong border checks and where they could be illegal or raise suspicion
  • Don't plug USB devices that you don't own into your computer
  • Check the signatures and hashes of Software you download before installing them
  • Don’t talk to anyone about your sensitive activities using your real identity
  • Encrypt everything but don’t take it as granted. Remember the 5$ wrench
  • Keep plausible deniability as an option but remember it won’t help against the 5$ wrench
  • Check for tampering regularly (not only your devices but also your home/room)
  • Know and always have the details of a lawyer at your disposal that could help you in case things go wrong


Sources and more:

link

link

  • Buy smart devices that respect your privacy (best would be open source)
  • Figure out if your smart devices actually need internet access
  • Give your smart home devices a guest WiFi
  • Try to not link them to your real identity
  • Give the devices unidentifiable names
  • Follow the password advices from above and use 2FA if possible
  • Review privacy settings and opt out of data sharing
  • Disable camera and microphone if you don't use them
  • Keep the devices up to date
  • Only turn them on if you need them
  • Do a Factory reset before you get rid of them


Sources and more:

link

link link

  • Don't allow your WiFi to auto-connect to networks
  • Don't log into apps on your phone since you can't verify if they are using HTTP or HTTPS
  • Don't use devices containing sensitive data in public networks
  • Avoid sensitive things like banking or logging into your email account
  • Disable file sharing
  • Only visit sites using HTTPS
  • Change your MAC-address before connecting to a network
  • Solution: use a VPN or Tor → not only for your browser but for the whole device
  • To see if it is working check your public IP and your DNS before and after connecting
  • IF you use a VPN see if you can cut your device off from other devices
  • Instead of using a public WiFi you can create a hotspot from your phone for your computer


Sources and more:

link link

  • Update your programs
  • Make backups
  • Check email addresses to see if they are listed on haveibeenpwned.com
  • Virus scans on Windows 10 if you download often
  • Delete temporary data
  • Check for rootkits

  • Don't conduct sensitive activity while connected to an untrusted/unsecure power line to prevent power line leaks
  • Don't use your devices in front of a camera that could be compromised
  • Use your devices in a soundproofed room to prevent sound leaks (at the best case with no windows)
  • Use your devices in Faraday cage to prevent electromagnetic leaks
  • Don't talk sensitive information where lightbulbs could be observed from outside
  • Buy your devices from different/unpredictable/offline places (shops) where the probability of them being infected with malware is lower
  • Don't let anyone access your air-gapped computers
  • Trust no one

Sources and more:

link link link

1. Inexperienced person

Method → Safety mechanisms

  • Vault Apps
  • Rename file extensions
  • Give folders wrong names
  • Incognito mode
  • Use strong passphrases

2. Law enforcement

Method → Obfuscation

  • Hex Editor
  • Forensic software package
  • Data storage that can be easily replaced
  • Decoy

3. ABC Agent

Method → improper evidence

  • End-to-End Encryption
  • Autopsy
  • SpiderOak
  • Decoy/Burner devices
  • "Monitoring" system
  • Soldered storage media (XIDU)

4. Private Contractor

Method → waste of time


Nation state op

Method → destruction

  • 1. Erase data of the disk using DBAN
  • 2. Create a VeraCrypt container with SHA 512-bit
  • 3. Destroy the disk (platter, heads and printed circuit board) with a hammer
  • 4. Shred large pieces into small pieces
  • 5. Burning / melting all parts that have stored data e.g. with a blowtorch
  • 6. scatter 1st part of the remains in rivers / nature widely
    mix the 2nd part in concrete and get a new construction project


Sources and more:

link

link

  • Stay calm
  • Delete everything you can from the internet related to that specific identity (accounts, comments …)
  • Delete and destroy everything offline you have related to that identity including the backups (see Antiforensics)
  • Securely erase the laptop hard drive and then ideally proceed to physically destroy the HDD/SDD/Laptop and dump it somewhere
  • Do the same with your backups
  • Know what kind of key disclosure laws your country have
  • Contact a lawyer in advance to prepare your case if needed
  • Return to normal and try not to act suspicious

Sources and more:

link

  • Don’t Panic
  • Try to shut down / hibernate the laptop as soon as possible
  • Contact a lawyer and try to remain silent (if your country allows that)

Sources and more:

link